Our recommendations for a more sustainable security approach are as follows:
- Be proactive about risks
Adopt an ongoing sustainable risk-based approach to Information Security and threat management. Resist the temptation to be driven by vendor and industry hype. Always assess the threats, their impact and likelihood of occurrence in the context of your organisation or business in a systemic way. Make mitigation decisions based on prioritised risk.
- Continuously review likely impacts
Continuously review threats as to where they are at in their impact or lifecycle curve. Review your strategy for dealing with these threats, particularly ones that are nearing, reaching or past their peak impact phase.
- Consider the lifecycle
Consider the threats in the context of your Information System’s lifecycle. If an Information System is at risk from a threat that is due to be retired before the high impact or peak threat phase, then it does not make sense to invest heavily in best of breed niche mitigation technology. Instead, focus on accelerating the retirement of this service so that it leaves earlier in the threat lifecycle.
- Reduce the cost
Look for opportunities to reduce the cost or impact of typically more expensive mitigation solutions for these near peak, peak or past peak threats. This opportunity might lie in resource, financial costs or performance. Look for infrastructure, software, vendor and resource consolidation or overlap opportunities to reduce budget and resource usage.
- Consider resources
Review new or emerging higher impact threats so that your resources are used where they might be needed typically for newer or emerging higher impact threats.
- Be agile
Consider flexible and balanced Information Security budgeting and resourcing models to enable your organisation to deal with newly emerging threats that are a risk to your business, particularly for high risk threats.
- Measure and report
Have good reporting, intelligence and metrics – in order to facilitate your risk and lifecycle based decision making.
With these recommendations taken on board, there’s no reason to be caught out when the next over-hyped security threat inevitably emerges in the new year!