Stop Wasting Your Security Budget on Technology

Don’t get me wrong, I love toys. I’ve had every version of the iPhone since its inception and have, quite literally, a drawer full of the old ones. I also cannot even tell you how many electronic gadgets I have sitting in boxes that I had wanted badly, used once or twice, and eventually packed away after watching them gather dust for months / years on end.

I could start my own eBay with this stuff. Or a museum.

In this context, technology is harmless. Every toy I have is offline, provides no access to sensitive data of any sort, and simply demonstrates that I have more money than sense. Though in truth, I have very little of both.

This becomes a far riskier proposition when organisations throw technology at broken processes, especially when those processes are directly related to some compliance / regulation requirement of some sort. PCI for example, has driven technology purchases (both infrastructure and outsourced managed services) like no other regulation before it.

This is because the DSS called for technologies by name; firewalls, anti-virus, intrusion detection/protection systems, file integrity monitoring and so on, and instead of performing a risk assessment FIRST, most organisations went straight out and spent money on things that likely provide no security benefits whatsoever. It takes significant expertise to extract value from technology.

And no technology related to information security can ever provide benefit unless:

  1. It was purchased to fulfil a properly defined business need (via risk assessment, business impact analysis, and Governance)
  2. It is appropriate for the current needs, but can scale for future growth, or reduce in the case of managed services (speaks to controls selection and vendor due diligence processes)
  3. It was purchased with full understanding of who is responsible for the following, and how they are to be accomplished:
    i.   Installation and integration with established processes
    ii.  Ongoing maintenance and updates
    iii. Monitoring and incident response
  4. It has properly defined metrics to measure its production capability against the originally defined requirements, and those resulting from a changing threat landscape (via vulnerability management and ISMS)
  5. It is constantly baselined against an established ‘known-good’ state. If it’s not simple, it’s not secure. Period / Full Stop.

Think about this another way; every appliance you buy is just a server, with an operating system, running an application, and regardless of how much effort went into hardening this system against an attack, the bad-guys get smarter every day. Secure today is no indication of security tomorrow (just ask Juniper about their backdoor challenges).

The purchase of any new technology is always the last of these three options:

  1. Examine your business processes to determine whether or not you really need to process / keep the sensitive data in the way you currently do. i.e. can you tokenise, truncate, delete entirely, or outsource etc?
  2. Examine your current infrastructure and procedures to see if adjustments here can fill the gaps exposed by the risk assessment and gap analysis
  3. Buy an appropriate technology in-line with the above 5 pre-requisites above.

Equal effort needs to go into maintaining current capability using existing technology and decommissioning obsolete technology as buying new capability, and not one of these decisions falls outside of a properly run security program in-line with business goals.

You really must ask the right questions, or you’ll get what you asked for, not what you need. Security vendors will not help you here, it will be up to you.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.