NTT Security not only has insight into the types of events that occur in its clients' environments, but also sees how the CSOs, CISOs, and CIOs responsible for protecting those assets respond. From our unique position, we are able to evaluate what works for different organizations and what doesn’t.
We are also able to observe how these leaders approach data and asset protection from a very operational perspective. Seeing these different approaches on a day-to-day basis gives us a unique understanding of what technologies and roadmaps actually work and, importantly, which do not.
One consistent observation is clear, “if you do not plan it, it will not happen, or it will not happen with great success”. What do I mean by that? Well, one of the greatest failures we see is that organizations do not realize that securing their data requires both tactical (short-term; 1-3 year) and strategic (long-term; 3-5 year) planning with financial backing and true executive support. Becoming secure is something that must be part of the culture and mindset of those responsible for it.
Here are my top four reasons organizations are failing to protect data and assets:
1. Organizations focus on a tool or product-based approach to security.
2. Budget for security is considered a year-to-year task, and the security capability is tied too closely to what is approved in the budget.
3. Mitigating risk via security controls is considered a case-by-case evaluation as opposed to a long-term plan.
4. CSOs or CFOs not having the understanding that a long-term plan can reduce cost by making the organization more secure.
My three steps to help shift the security paradigm:
1. Before investing in the next hot tool or product on the market do the following:
- Look at what your risk and annual loss expectancy is. Does it still make sense to buy a solution?
- Check to see if the solution maps to your tactical and strategic plan.
- Review your existing capabilities to make sure they are fully leveraged.
2. Reflect on your long-term vision or security for your organization and plan around it.
- Stop budgeting for security year-by-year. Sure, there are things you will need to do on an annual basis, but even those should support the long-term vision.
- Develop your tactical and strategic plans and determine what budget forecast is needed to support the plan.
- Be smart about the financial aspects of security and speak to your CFO with his view in mind – money.
3. Partner with your CFO and make it clear that security is an investment.
- Properly spent budget should reduce losses and the cost of security over time.
- Mitigating losses over time saves the organization money if properly evaluated with a risk assessment.
Although many of these concepts are simple to understand in theory, we still see organizations fail to carry these out. There is a time to think about the day-to-day operational aspects of security, and doing them right. The long-term vision of a true security plan, however, will help to mitigate losses over time.