Cyber security remains a point of consternation for organizations of all sizes—with more than three-quarters of companies admitting that they only increased their cyber security budgets after they had experienced a major data breach. From the outside, it’s obvious that the best time to put your resources into securing your data, your applications, and your endpoints is long before any security incident has the chance to take place, but CIOs and CFOs often can’t get onboard with what they see as large expenditures with a dubious chance of ROI.
What many corporate decisionmakers fail to see when cyber security comes up is that, with the right solution, you don’t have to tie your ROI calculations to staving off data breaches and nothing else. On the contrary, the right solution can help you to improve your time-to-market, prevent disruptions related to legacy IT and difficult-to-remediate bugs, and create better alignment between different touchpoints in the development cycle. The only question is how to find the right solution to make those positive drivers of ROI possible.
1. Be Proactive
If you’re looking at this article and you haven’t just been subject to a data breach, you’re already doing a good job of being proactive. At the same time, you need to make sure to follow through. To figure out the features and elements your cyber security operations should have, you need to think about your company’s structure, its long- and short-term goals, and your vision of its transformation over time. In other words, you’ve got to plan for the business you want, not for the business you’ve got. If you wait until a catastrophic security incident, you’ll wind up scrambling to put a system in place that specifically addresses the new security flaws that you’ve just unwillingly discovered—meaning that in all likelihood you’ll be a taking reactive, potentially short-sighted approach to your selection process. Sure, any cyber security deployment should be accompanied by some degree of urgency, but if you can sit down to define your needs in a moment where that urgency is at a minimum, you’ll have a much easier time taking the long view and prioritizing long-term ROI.
2. Assess Your Threat Model
As we get through our suggestions on this list, we’ll make a point of highlighting the areas where the right cyber security solution can actually add strategic value for your operation. Before we dig into those areas more fully, however, we do need to talk about threat models and attack surfaces. Ask yourself:
- What is the general risk model for cyber security in your industry? If you’re in banking, for instance, you’ll need to think about things like wire fraud and SWIFT fraud; for healthcare, you might be more concerned with ransomware or DDoS attacks.
- What does your current IT environment look like? Is your company using legacy applications that have the potential to increase your overall security risk?
- What does the remediation process look like at your company? When you find a security vulnerability, how long does it take to cover and/or resolve the issue?
- How well are your personnel trained on web application security issues? Are your employees likely to be taken in by phishing emails? Do your developers consider security when writing code for your various applications?
The answers to these questions should tell you a lot about what kinds of attacks you’ll need to defend against and what sorts of systems you might need to put in place. This is an area where it might even be useful to talk to an outside consultant who can give a clear-eyed assessment both of how prepared you are to stave off cyber attacks and how well security is integrated with other workflows.
3. Create Alignment Between Cyber Security and Other Initiatives
Speaking of integrating security with other workflows: once you have a handle on your threat model, it’s time to think beyond merely preventing attacks and consider the ways in which your cyber security solution can add value to your other business areas. This, too, will depend on the answers to the questions you gave above. For instance, if you’re working with a lot of legacy IT, you could look out for solutions that can cover the security flaws in these systems without forcing you to replace them. In this way, you can align your long-term IT goals with your immediate security concerns. By the same token, if you have a big product release on the horizon and you’re concerned about resource usage, you should look for solutions that increase your overall amount of freedom: this might take the form of application shielding capabilities that protect your system from known vulnerabilities so that you don't have to scramble to remediate, a managed service that frees up your resources for more valuable tasks, or even a combination of the two.
Again, you’ll need to take stock of what’s happening within your enterprise: What are your top strategic goals for the next year, two years, five years, etc.? What are the top causes of delay that you’ve been encountering as you try to release new applications or update old ones? If security concerns are delaying your time-to-market or hampering your developers, you’ll want to adopt a solution that can integrate seamlessly into existing workflows to support your DevOps team. By the same token, if you’re hoping to create an integrated DevSecOps team to drive smarter development projects, something that frees up your resources while covering known security vulnerabilities is an absolute must.
4. Gauge Your In-house Capabilities
In the section above, you may have noticed that we brought up the possibility of implementing a managed cyber security solution, rather than trying to manage everything in-house. That’s not just idle talk—on the contrary, for businesses that don’t have robust security operations of their own, or who don’t want to utilize their person-power on security software maintenance (web application firewalls, for instance, are notoriously fiddly to set up and maintain), a managed service can be an excellent way to create the exact sort of strategic alignment that we discussed above. And, of course, most businesses are fairly likely to fall into “insufficient internal resources” camp when it comes to robust cyber security operations. To wit, a recent study found that only 30-40% of companies (depending on size) actually had a security operations center. If you’re part of that 30-40%, a managed service might be redundant, and you might be better off seeking out a solution that you can manage on your end.
For the other two-thirds of businesses, you’ll have to consider how easy or difficult it would be to ramp up to a point where you could handle all of your security needs in-house. The list of competencies you’ll need to cover in this department can cover any number of things:
- Incident response/detection
- Penetration testing
- Security audits
- Security training and education
- Remediation for vulnerabilities
- Solution maintenance
On top of this, you’ll need to retain a responsive posture by keeping up-to-date on all the latest CVEs, staying current on threat models and technology, and reevaluating your own technologies and best practices so that they don’t go out of date. Frankly, this is an area where an outside partner whose sole focus is cyber security can be helpful even if you already have an SOC. In this way, you can augment your own capabilities to maintain real-time protection.
Of course, you could take the time and effort to hire, onboard, and train new personnel in order to develop those capabilities and keep them current—whether that’s immediately or in the long-term. At the same time, talent is often hard to come by these days, and once you’ve developed strong security expertise it can become difficult to scale up or down as your needs change.
Whatever route you’re interested in, you’ll need to determine:
- What your current cyber security capabilities are;
- How those capabilities align with your other corporate goals;
- What level of capacity and competency you’d like to have in-house;
- What steps you would have to take to get from where you are now to where you’d like; to be, and how cost effective that process will be in short-, medium-, and long-term.
One you’ve gone through this exercise, you might be surprised to find that you’d actually be better off devoting your existing security resources to collaboration across different functions.
5. Identify Quick Wins
No matter what approach you take when it actually comes to choosing a solution, getting buy-in from other stakeholders is going to be a key part of the process. Whether you’re trying to get your CFO on board with the costs of a managed service or you’re trying to convince your CISO that you can actually improve security overall by giving SecOps the leeway to act as more of a collaborator with your other developers, you’ll want have some way of immediately displaying value and giving others an idea of how your cyber security solution can help the business going forward. This might be as simple as demonstrating how much time you can save by ditching your WAF and utilizing an application shielding solution instead. Or, it might mean demonstrating the savings in time and resources you can effect by covering the known vulnerabilities in your legacy applications. Or you might choose a solution that condenses HTTP traffic in such a way that immediately speeds up your web apps.
Whatever quick wins you’re able to find, make sure they, too, mesh with your larger strategies. In this way, you can establish your cyber security practices as a tool for meeting longer-term goals, rather than an expensive albatross that slows down your development cycles. Once you’ve clearly demonstrated this fact to other key stakeholders, getting more sustained buy-in for your cyber security implementation will be a breeze. Instead of slow and grudging acceptance of changes that seem like a hassle, you can drum up real enthusiasm for a time- and labor-saving solution.