Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
  • Insights

    7 Recommendations for Sustainable Security

    Our recommendations for a more sustainable security approach are as follows:

    • Be proactive about risks
      Adopt an ongoing sustainable risk-based approach to Information Security and threat management. Resist the temptation to be driven by vendor and industry hype. Always assess the threats, their impact and likelihood of occurrence in the context of your organisation or business in a systemic way. Make mitigation decisions based on prioritised risk.

     

    • Continuously review likely impacts
      Continuously review threats as to where they are at in their impact or lifecycle curve. Review your strategy for dealing with these threats, particularly ones that are nearing, reaching or past their peak impact phase.

     

    • Consider the lifecycle
      Consider the threats in the context of your Information System’s lifecycle. If an Information System is at risk from a threat that is due to be retired before the high impact or peak threat phase, then it does not make sense to invest heavily in best of breed niche mitigation technology. Instead, focus on accelerating the retirement of this service so that it leaves earlier in the threat lifecycle.

     

    • Reduce the cost
      Look for opportunities to reduce the cost or impact of typically more expensive mitigation solutions for these near peak, peak or past peak threats. This opportunity might lie in resource, financial costs or performance. Look for infrastructure, software, vendor and resource consolidation or overlap opportunities to reduce budget and resource usage.

     

    • Consider resources
      Review new or emerging higher impact threats so that your resources are used where they might be needed typically for newer or emerging higher impact threats.

     

    • Be agile
      Consider flexible and balanced Information Security budgeting and resourcing models to enable your organisation to deal with newly emerging threats that are a risk to your business, particularly for high risk threats.

     

    • Measure and report
      Have good reporting, intelligence and metrics – in order to facilitate your risk and lifecycle based decision making.

     
    With these recommendations taken on board, there’s no reason to be caught out when the next over-hyped security threat inevitably emerges in the new year!

    Insights

    Sustainable Security: Effectively managing the peaks and troughs of…

    The battle against cyber warfare

    Between APTs, AETs and government/political sponsored cyber warfare, it seems like every three to six months a new Armageddon style threat emerges. If you were to believe all the hype, often presented by certain media outlets and some of the less responsible quarters of the Information Security industry, new threats to information systems and digital business would be the end of the world. Unless of course you buy their “army” of expensive technology or services for the battle to prevent this slaughter.

    Despite all of these threats, digital business, information systems and technology continue to flourish. They are the key drivers and enablers for the modern and prosperous times that we live in. Why is this when these technological “comets of doom” continue to threaten the digital world we live in?

    Security threats have been around for some time

    New or emergent high impact security threats have been with us almost since Information Technology began. Before the current crop of threats, there were Viruses, Trojans, Worms, SPAM, DDoS, ransomware. Anyone remember when these emergent threats were hyped as the harbingers of doom of their respective day. Government/political and commercial sponsored spying and cyber warfare are not new or recent phenomena either, they have just been brought to the top of the agenda through revelations about the scale upon which they are happening, such as WikiLeaks and the mass surveillance exposed by Edward Snowden etc.

    Threat lifecycle

    In each case, these threats went through or are going through a typical lifecycle over time from emergence to outbreak, rising to a typically expensive peak impact followed by a sustainable, commoditised mitigation/operation. In each case the Information Security industry produced a management and mitigation strategy, usually comprising various combinations of technology, process and people.

    The initial hype phase for these threats has value to organisations and consumers in making them aware of the threat. The ongoing hype really has most value to the companies who are developing or selling the usually expensive technology, to help mitigate the issue.

    Sustainable Security: Effectively managing the peaks and troughs of threats
    Sustainable Security: Effectively managing the peaks and troughs of threats

    Non-sustainable strategy

    • A strategy of ever-increasing security spend as a percentage of overall IT spend to counter the new and ever increasing amounts of threats is not sustainable.
    • A strategy of continual ad hoc point security solution spend to help mitigate every new emerging threat is also not sustainable. This spend is not sustainable in terms of its cost, skills, resources, incremental infrastructure or reduced systems/service performance level.
    • A strategy of treating all threats similarly in terms of their risk to the business and their point in the threat lifecycle is also not sustainable as it leads to diluted finite resource and budget.

    The solution is a sustainable security strategy

    A sustainable security strategy recognises how much risk a particular threat poses to their organisation and at which point it is in its lifecycle. A CISO employing this sustainable strategy balances their “portfolio” of threat according to the current and future likely risk from these threats.

    They make their mitigation decisions by determining if, when and how to implement appropriate mitigation. They rebalance their mitigation solutions and resources, particularly after a threat’s peak impact in order to seek lower costs, less focus and requiring fewer resources. This frees up financial and resource budget to tackle relevant threats in the emergent or high impact phase.

    To help manage a number of convergent peaks from a number of high risk threats, CISOs should employ flexible spending models such as MSSP or outsourced Security-as-a-Service (SaaS) as a bridge until the preferred safeguard is adopted or as a final solution if appropriate.

    In the second part of this blog…..

    we’ll recommend a number of best practice guidelines for a more sustainable security approach.