Cyber security and IT executives today are facing unprecedented challenges: new and increasingly sophisticated threats, an ever-growing enterprise “perimeter” that includes large numbers of mobile devices and an increasing number of cloud services, the emergence of new data protection regulations, and a burgeoning Internet of Things (IoT) environment—to name a few.
At the same time, CISOs and CIOs are under pressure to keep costs under control and effectively manage security investments. To get a sense of what security leaders need to be doing in this area, we interviewed Jamie Lee, CIO of Ecobat Technologies. This is the first of what will be a series of interviews with senior security executives.
What are the biggest concerns facing CISOs and CIOs today when considering security investments?
Lee: The biggest concerns center around whether the investment in tools and labor will actually reduce or mitigate the real risk of impact. Companies tend to struggle with quantifying the risk of a cyber event with data and statistics. Enterprise risk committees might only look at risk qualitatively. An experienced CISO will look to quantify the probability of a cyber event as a result of the overall security posture of the organization. That posture could include scoring models, the technology architecture in place, and labor capacity and capabilities before and after an investment is made.
Should security and IT executives deploy both reactive and proactive resources when addressing security risk?
Lee: I think of the cyber security fight in terms of offense and defense. If we can automate the defense, we can spend more labor capacity on innovating around the offense. Software and hardware tools and techniques that automatically identify attacks and respond to them free up cyber security engineers to plan for further risk reduction [through an offensive or proactive approach.] These are investments likely worth making.
What can leaders of smaller security teams, or those stretched to the limit in terms of workload, do to maintain strong security with limited resources?
Lee: Separating the “signal from the noise” is key for a limited capacity team. Your next move in the technology stack can cause your team to have to work more. Therefore, it’s necessary to truly know the volume of workstreams and be lead by cyber security measures such as Mean Time To Detect (MTTD) and Mean Time To Repair (MTTR).
What’s the business value of reducing network components, and any suggestions of how this might be done?
Lee: Any reduction in the permutation of devices or nodes is key. The greater the sprawl and open egress points on a network, the wider the scope for identification. That requires more capacity in labor and tools. The cyber security and infrastructure teams have to work closely and collaboratively to achieve the desired, shared outcome for excellence in this regard. Doing so will raise the overall business value and improve business continuity, decrease risk, and reduce costs.
What should organizations do to optimize their security spending?
Lee: There are tools available to help CISOs document a range of where current labor is spent today. The math helps security executives stop and think before injecting another technology investment into the technology stack. By leveraging the results from such a model, a CISO can identify how solution platforms can positively improve a security team’s posture.