CenturyLink helps hundreds of businesses and government agencies manage their cybersecurity programs. In the process, we have noticed a consistent theme: Even well-trained, thoughtful security professionals can occasionally miss the big picture. In particular, there can be an instinct to spread defenses too thin. As we note in our new white paper, Moving to a More Efficient Cybersecurity Strategy, this approach leads to uncessary risk exposure. To quote the famous military commander, Frederick the Great, “He who defends everything defends nothing.”
It is never optimal to try to secure every single business or IT asset at the same level. The essence of risk management is to recognize that perfect protection is nonexistent. It’s a resource issue, of course. There isn’t enough money or time to mitigate every risk. Risks are managed, never totally eliminated. Even when security budgets grow, the challenge is to recalibrate your plan to ensure that you’re planning and budgeting as threats and business requirements evolve. This is a big problem for most organizations. In fact, in a survey of attendees at a recent Black Hat event, security pros said they don’t believe their company’s top three priorities for security spending are the right ones. Defense strategies and plans require some reworking. This blog discusses approaches to prioritizing spending that appropriately balance risk with cost in order to support business objectives.
Shifting Threats and Perimeters
It seems that every week brings a new report of a malicious actor brazenly raiding some of the best known, best-funded organizations in the world. Security incidents are up 38% year over year, according to PwC. Scary times. In your department, you’re likely fending off spear phishing, ransomware and distributed denial of service (DDoS) attacks.
It’s not just the new threats that are coming your way. Your perimeter has also changed. It used to be that the firewall and the corporate network defined the boundaries of your enterprise. What was in was in. What was in the “DMZ” was in the “DMZ,” and so forth. This is no longer the case in any meaningful way. Now, we have blurred perimeters. Your business and IT assets are distributed across multiple on-premises, colo, hosted private cloud and public cloud environments. Where your organization ends and the outside world begins is not so easy to see any more. Contractors and vendors blur the boundaries of access controls.
Your organization may also be sharing data with external third parties, to whom you provide programmatic access through standards-based application programming interfaces (APIs). Mobile and the Internet of Things (IoT) further distort the perimeter. Like, when a user of a mobile app developed by one of your partners accesses your back-end systems through an API; will you know what kind of security is on his or her device?
What Used to Work
The threats and blurred perimeter put strain on your security budget. Every countermeasure and control should be assessed for its utility. Take a hard look at whatever you’re doing and evaluate whether it’s money well-spent. You may be over-defending in one area while exposing yourself elsewhere. For instance, what if you’re focusing on Data Loss Prevention (DLP) while neglecting patching? Patching is basic, with CERT estimating that 85% of targeted attacks exploiting unpatched vulnerabilities. They’re preventable but if you dilute your focus, you might miss them.
The New Business Impact Heat Map
Where should you allocate scarce security resources? The Business Impact Analysis (BIA) has a sound way to identify risks that carry the greatest potential business loss. It is now necessary to add on to the traditional heat map, shown in the figure. The heat map adds a score for a security incident’s likelihood with its score for actual impact on the business. The higher the number, the “hotter” the risk. The hottest risks should get the biggest share of the budget.
Now, it is necessary to factor in “heat” for new types of risks such as those created by increased integration of applications. Whereas before, an ERP system outage might have had a contained impact on the business, the ERP may now be connected to numerous other systems so an ERP outage will have a much higher impact. An updated, more realistic heat map enables you to be more accurate in your allocation of security resources.
The CenturyLink Approach
CenturyLink can help you allocate your security resources with greater efficiency. If you feel that you do not have the time, personnel, tools or resources to mitigate all of your high-impact risks, we can help. Our security services, honed over years working with some of the world’s largest enterprises and governments, are designed to give you capabilities that would be difficult to create in-house. We offer the security advising and services needed to fill the gaps and help strengthen your security posture.