Don’t Rush to Satisfy That Hunger Until You Can be Sure of What You Need...
Pressure to make new investments in security can hit without warning these days. You can find yourself with a mandate to get more security because of a breach, a change in corporate priorities, or some painful event at a competitor or partner. If you find yourself in this situation, don’t let the pressure push you into irrational behavior. As the saying goes, don’t shop when you’re hungry. If you do, you’re likely to end up with things you don’t need. Instead, take your time, build your list, and know what you’re getting and why.
Here are three impulse buying mistakes to avoid that can actually undermine your security while simultaneously depleting your resources.
Buying Impulse #1: “I’ll buy this because something is better than nothing.”
When you have a real security problem that you can improve with attention and investment, taking the shortcut of doing something easy that is “better than nothing” puts you into a more dangerous position than you were before. Burning through an investment like that means you’re wasting valuable political capital, and when it comes time to invest in a solution that actually does solve the problem it will be even more difficult to justify the expense.
If you feel pretty good about your security before you are asked to invest more, then you have time to do the right thing. Make sure any investment you make will have the kind of impact that you think is most important to your goals.
Buying Impulse #2: “I’ll pile more protection on my high-value assets.”
When risk assessments are performed, the most important element is the characterization of your assets, their value, and the threats they are under. The same critical resources, like servers, databases, and websites are continually found to be of highest importance, so they are always prioritized for investment. In most organizations, this results in an uninterrupted flow of time and money to these assets, even though they are likely to be the best protected already.
Before you stumble down this well-worn path, take a moment to create an additional weighting factor such as the amount of protection already being applied. You will find that other assets, like departmental applications or the often-ignored user systems, present the most danger, in part due to this lack of attention. These kinds of assets get deprioritized, but remember, corrupted systems and uninformed users have the connections and credentials that weaken your other security investments.
Buying Impulse #3: “More information is always better, so I’ll collect some more.”
People believe that breaches are inevitable. As a result, there is a current emphasis on information gathering and analysis. Security Incident and Event Management (SIEM) platforms, cloud-based analytics, anomaly detectors, the list goes on. They all are focused on faster breach detection, new threat identification, and incident response. As very public breaches have shown, choosing to invest in more data will do very little to improve your security unless you can actually use it.
Make sure any new information gathering you do fits within processes you already use, and confirm you will be able to make sense of the type and volume of information that you are thinking of gathering. Passively gathering information may seem pretty innocuous, but more is not better when the “more” can drown you or expose you to liability when you miss alerts in the stream.
Avoid these mistakes and the security bloat that they will create by filling up on your own requirements before you step out into the market. Spend a little time to create a list of options to choose from, and factor in the real appetite that your management will have for the actual implementation of the solutions you choose to consume.
Security sorely needs more investment in time and money. Don’t rush to satisfy that hunger until you can be sure of what you need.