Now that the visibility of information security has grown, information security programs are facing a new problem, the bonanza of investments that can be made to 'enhance' a security program. With so much money in the pool, there are many vendors doing all they can to encourage the purchase of their product. So how is a company to choose it's investments?
The Best Way isn't Always Best
Most people would immediately go to a risk-based system. The logic being, "If I choose the projects which mitigate the most risk, I will make the greatest improvements in my security posture." While this is true, there is a subtle technicality hidden in that statement.
The statement above requires an extremely mature risk program. The risk program must not have any biases. It must include all areas of mitigation (identify, protect, detect, respond, recover) and methods (Doctrine, Organization, Training, Materiel, Leadership, Personnel, Facilities and Policy). It must be tailored to the threats the organization faces as well as the vulnerable conditions that exist within the organization. It must consider the entire attack path and must consider alternate branches an attack might take, (coming in the window when the door is locked). It must capture all of these characteristics in a continuous manner across the organization. Additionally, none of these characteristics can be biased as the bias will then be reflected in the acquisition. While it is possible to have such a risk program, very few organizations do.
The Next Best Way
In lieu of the perfect risk program, the next best way is Operations-Based Acquisition. In this scenario, we are going to assume our goal is to prevent attacks and that our security operations team is our last line of defense in preventing attack.
The first thing we must do is ensure our security operations team is competent. This means that if the investments haven't been made already, they will need to be made to build the team, develop procedures, and train the team.
However, once the team is established, they will be able to identify the opportunities for investment. Instead of measuring investments by decrease in risk, we measure by increase in security operations teams efficiency.
We can look to the security operations team to help inform this. When they notice that they are having to deal with attacks from a segment of the network that could be firewalled, we can segment the network and be more efficient. When they notice that they don't find out about attacks until they are wide-spread due to lack of visibility, we can invest in IDSs and SIEMs. When we notice human error taking lots of the security operations team's time, we can increase training. And the beauty is that the use of the security operations team's time is measurable, and so the return on the investment can be captured!
Is it perfect? No. Is it quick, easy, and useful? Yes! And it is certainly better than simply buying the newest tool based on the newest report of evil hackers! It is measurable and it is needs-driven. All and all, a good approach.