Security operations · 4 MIN READ · BRUCE POTTER · APR 30, 2019 · TAGS: CISO / Managed security / Planning / Selecting tech / Tools
There’s a dozen new faces at the all-hands, and HR is adding boatloads of new job reqs to the company website every week.
When you’re part of a fast-growing org, security is often left playing catch-up. Maybe you’re still building out your team, or you’re trying to hire just one more full-time employee in addition to yourself to help check off all your to-dos. If this sounds familiar, then it’s time to re-evaluate whether the security tools you’ve got in place today are the right ones for “the new you.”
Before you pour time and money into an assessment, make sure you’ve got some basic tech in place that’ll keep your org’s data protected while you focus on building that longer-term strategy.
I know … that’s sometimes easier said than done. How do you know what kind of tools to invest in? What’s essential and what’s a nice-to-have? In addition to making sure each new tool you invest in will make you and your team more productive and efficient, here are a few tips to consider when thinking about what security tools to keep or buy.
Get the obvious and inexpensive controls in place
Here’s the TL;DR: Don’t overthink it. Talk to some peers and maybe an analyst. Then make some quick decisions. This first step doesn’t need to turn into a lengthy shootout — in fact, the longer you take to get the obvious stuff in place like endpoint security and reasonable remote access controls, the greater your risk becomes. There are a few “absolute goods” that every enterprise should have regardless of whether you’re cloud native or living behind layers of firewalls and surrounded by mainframes. You don’t need a high priced consultant to tell you that having one unified, fully deployed endpoint protection solution is a good thing.
Know the broad buckets of tools you need
Now that you’ve plugged the big holes, dig down a layer. Ideally you’ve got time (and some in-house expertise) to do a quick NIST CSF self-assessment. That will give you a good gut check of where your big gaps are and where you may be doing better than you think.
Once you get through that assessment, jot down the broad buckets of tools you need to have in place to adequately cover the big gaps you see. I’m not talking about specific products, just the big areas that you need to solve for with some kind of tech. Pay attention to what’ll give you the biggest “bang for the buck” — the places where you can make the most impact on your security posture with the fewest products.
There are five big buckets that come to mind, ranked from most important to “you can worry about this a little later:”
✓ endpoint controls
✓ network controls
✓ identity and access controls
✓ device management tools
✓ data consolidation tools (like a SIEM)
Do you have at least one tool in place already that falls into each of those categories? If so, that’s great. If not, perhaps you can tweak an existing tool to do the trick. If not, then you’ve got an obvious gap and you should probably focus on making sure you cover that area first before you bring on any more tech.
Now, new technology isn’t always the answer (in fact, it sometimes can make things worse). Be sure to pay attention to areas like third-party risk and supply chain risk where process controls are usually far more effective than throwing a product or service at the problem.
Make sure any new tech integrates with your existing operational controls
Before you go on a buying spree, think about how a new-to-you tool needs to behave in order to integrate with your current operational controls. For instance, if a vendor offers multiple solutions that you can manage as a single unit (I’m thinking of vendors that have unified endpoint and network controls as an example) and you already have one of their solutions, make your life easier and go that route. It may not be the perfect solution, but you’ll likely suffer “death by complexity” way before “death by lousy product.” Your staff is already familiar with the interfaces and management strategies with these systems, reducing the chances that you’re buying shelfware. Once you get the basics of your program in place and generally have the controls you want, then you can start picking better or different solutions to solve specific problems.
From a procurement perspective, keep your contracts short. Now is not the time to lock yourself into a three-year agreement with a service or tool you may want to throw overboard in 12 months.
Pay attention to what will (or won’t) work with your infrastructure
Last but not least, think about your current infrastructure and whether this new tech will work reliably in that environment. For example, do most of your employees use Macs or PCs? If you’re primarily a Mac shop, don’t choose tech that only runs on Windows OS. Make sure whatever you choose runs well across all the platforms your teams use.
Once you’ve figured out the must-haves and can’t-haves from an operational controls and infrastructure perspective, dive deeper into each of those broad buckets of tools I mentioned above. Now start thinking about specific tools you need to add to your stack. For example, tech like network firewalls, web application firewalls, proxy servers and VPN servers, among others, fall under the “network controls” category.
Now that you’ve got some new security tech to add to your tool chest, you’ll rest (somewhat) easier at night knowing that you and your team have the basics covered. That said, there are no perfect tools — so pay attention to how they’re working for your org and whether they’re making your analysts more productive and efficient.
If you’re looking for even more tips on how to evaluate your security tools over time, check out “Get your security tools in order: seven tactics to know.”