We’re entering a world of deepening complexity and far vaster breadth when it comes to security for the modern enterprise. With companies integrating legacy data centers, manufacturing facilities, and networks with the cloud and the Internet of Things (IoT), all connecting to an uncontrollable mass of independently governed endpoints, CIOs and CISOs face a constant challenge of trying to decide what to protect and how to protect it.
When thinking about how companies should choose to spend their security dollars, I find the framework created by the National Institute of Standards and Technology (NIST) to be a great guide, although many security professionals also rely on ISO 27001. The NIST framework offers five main functions companies need to be able to address in their approach to cybersecurity: 1) Identify; 2) Protect; 3) Detect; 4) Respond; and 5) Recover. Within this excellent taxonomy of security capabilities, categories like asset management, risk management, and governance are under the identify function, access control, maintenance, and data security fall under protect, while monitoring and anomalous events fall under detect. Respond includes response planning, communications, and mitigation, while recover includes communications taken in the wake of an attack, recovery planning, and improvements to systems and procedures.
I highly recommend keeping that framework in mind as you approach decisions about your security spend, but it’s crucial to note that it doesn’t address how to balance your spending across those categories and functions. Yet, the question of how to spread your limited dollars and resources over these categories to ensure your business is as protected as possible is paramount for today’s corporate landscape.
The NIST framework does provide some focus on portfolio analysis, including both the assets you need protected and the security used to protect them. This focus is mainly in the framework’s Risk Assessment section, where there are guides offered for such things as system security plan development, contingency planning, conducting risk assessments, and mapping information types to security categories to name just a few. The NIST framework, just as with other structures like it, helps companies to organize a holistic approach to security. But the portfolio and product analysis framework needs more fleshing out, which is part of the reason for this series of articles. It’s also important to remember that even with a strong security portfolio, there still needs to be security officer(s) matching the needs of the business to the framework and available technologies. Also, in this series we are focusing on analysis of technology products primarily. It is vital to remember that a fully realized vision for security must integrate people, process, and technology products. We are assuming that the people and process aspects are being designed carefully as well in combination with an analysis of technology products.