You’re ready to buy that new set of security tools, sure that it will give your security an edge. But before you buy that tech, make sure you’re positioned to implement it.
Any number of companies bought into Network Access Control solutions four or five years ago but forgot to first check that their environments were 802.1x-compatible. After buying the tech, they had to upgrade switches and routers, so rolling it out was delayed and got much more expensive. You don’t want to make that kind of mistake.
I have outlined four steps to help you make sure you are building an organization that’s aimed at the future, ready for that purchase, and that you are showing the overall value of your security program.
Step 1: Make sure you’ve aligned security with IT and with the business overall.
- Is your security strategy aligned with where the company’s digital transformation is heading?
- How is your relationship with the chief information officer? Are you even talking? If not, you might start by joining IT planning to help prioritize security items for IT implementation teams.
- Are you engaged in any tangible cost-savings activities? If not, can you help support those activities? In every company I have been in, I tried to find cost savings every year. At some companies it was only a few hundred thousand, and at others much more.
Step 2: Make sure you are aligned to growing regulatory demands such as NYDFS, GDPR or CCPA. Embracing regulatory mandates can help you drive change in the organization. Align with your chief compliance officer or chief privacy officer to see what they need. Better that you get ahead of these and other upcoming mandates — they are a steamroller and heading your way. I recently had a conversation with another CISO after he was told to “own” privacy. Fifteen minutes later, we had a plan of action for him. Here are the topics we touched on, to help you think through your own situation:
- Who do you need to partner with to drive this change?
- What is your strategy for dealing with crossover mandates from privacy or compliance? If you don’t have a strategy, check out the IAAP.org website to keep current on what is happening in the privacy space.
- Have a discussion with your legal team on what laws and regulations keep them up at night. You will find items with which you can help. I work with multiple lawyers daily on items such as contracts and privacy issues, and it really pays off.
Step 3: Make sure you are ready to take that next step by having the basics right.
- How is deep is your defense? Is it all working like it should?
- How is your cyber hygiene? Are you patched current? Not keeping up with patches has cost Equifax. Now the company has been ordered by a federal court to spend $1B over five years on info security. Sure, this is one way to get more security budget dollars — for the person who replaces you.
- Do you know where your assets are and how they are configured? If not, are you advocating for better asset or configuration management tools?
- Do you know what your external IP footprint looks like? If you do, have you provided it to IT to help them?
- Do you utilize external ratings organizations? Are you providing forensic information to IT? Are you tracking how you rate against customers and peers? Try sharing this information with the business. It is typically very well received.
Step 4: Ensure that you’re using the tech you already have effectively. Have you inventoried your tools? I know one company that has over 300 tools in its toolkit. Just think about the maintenance dollars and individual constituency groups tied to keeping that many tools functional. Conceivably, you could find budget for that next tool by reallocating maintenance dollars on tools you aren’t using effectively. How much better off would you be if you cut the number of tools you use by 10% and increased your existing tool use effectiveness from 30% to 50%?
At a former company, the CEO changed the fundamental direction of the business. To be a good corporate citizen, I planned to not spend any money beyond keeping the lights on. We made the decision to better utilize the tools we had and drive utilization higher. Funny thing is, it worked. We got more value out of our own tools, looked for additional security features in tools IT had bought, drove tighter processes, and in general had a better handle on our environment.
Those new tools will surely add value. However, when you’re looking to prepare your security group for the future, it’s better to first take a step back and evaluate where you are and where you need to be. Having helped the company with other activities such as cost savings, being willing to “be part of the team” and showing value and actual need will make the sales pitch for that new tool or technology much easier.