When George took over as the CISO of a retail company, IT security was relatively simple. But as the organization has grown — adding online ordering, more employees and a host of cloud-based platforms and technology to support digital business across the organization — so have the security vulnerabilities. Plus, increased attacks and phishing attempts make it difficult to know what security projects to focus on and where to get the most ROI.
For new security projects, focus on those that can address a high degree of business impact
“Security and risk management leaders are constantly bombarded with both maintaining existing security projects and bringing forward new projects,” says Brian Reed, Senior Director Analyst, Gartner. “As priorities for new security projects, focus on those that can address a high degree of business impact and also have an ability to reduce a high amount of risks.”
Gartner has identified 10 security projects — in no particular order — for organizations that have already adopted all basic security measures.
Project 1: Privileged access management (PAM)
Privileged accounts (or administrative or highly empowered accounts) are attractive targets for attackers. A PAM project will highlight necessary controls to apply to protect these accounts, which should be prioritized via a risk-based approach. PAM projects should cover human and nonhuman system accounts and support a combination of on-premises, cloud and hybrid environments, as well as APIs for automation.
Project 2: CARTA-inspired vulnerability management
Security teams cannot handle the sheer quantity of vulnerabilities and they cannot patch everything. Therefore, SRMs should focus on a “continuous adaptive risk and trust management” (CARTA) approach to security in which security is adaptive everywhere, all the time. This requires CISOs to establish the business value of IT assets — as agreed upon by business stakeholders — and the risks associated with them to emphasis the importance of focusing on those assets. Additionally, organizations must understand network topology and any changes to IT infrastructure.
Project 3: Detection and response
Perfect protection options don’t exist, but CISOs should consider detection and response projects. Ask a few questions: How is data gathered and stored to support detection and response capabilities? Does the technology have a wide variety of detection and response features, or the ability to utilize indicators of compromise?
Thoroughly test any vendor who claims to have artificial intelligence or machine learning capabilities
If you already have an endpoint protection platform, consider that platform as an option to provide endpoint detection and response. For a managed security services approach, think about a project that would provide information to a managed provider. Make sure to thoroughly test any vendor who claims to have artificial intelligence or machine learning capabilities.
Project 4: Cloud access security broker (CASB)
CASBs provide a control point for visibility and management for organizations that have adopted multiple SaaS applications. Justify this type of project by starting with a cloud application discovery to surface shadow IT. Assess whether the organization has control and visibility of sensitive data used and shared by the SaaS applications. Determine what level of visibility and control you need with each cloud-based service. Enter into short-term contracts that focus on discovery and protection of sensitive data.
Project 5: Cloud security posture management (CSPM)
While cloud services offer high levels of automation and user self-service, nearly all cloud attacks are the result of customer misconfiguration, mismanagement and mistakes. Consider CSPM processes and tools to mitigate cloud risks. If the enterprise only uses one IaaS platform, see if that provider has options for CSPMs. If not, make sure the CSPM provider supports the multiple clouds the enterprise is using. Cloud-based CSPM options will be able to make automated changes based on assessment findings, but if the enterprise is already (or thinking about) using a CASB, the market leaders already have well-developed CSPM options.
Project 6: Business email compromise
A business email compromise project can help security and risk leaders deal with phishing attacks and poorly defined business processes. These projects focus on technical controls as well as organization-specific process breakdowns. Customizable machine learning options can integrate with current email security systems, and security and risk leaders can look to current email security providers to provide these controls, as well as integrate the project with security awareness training and other endpoint protections.
Project 7: Dark data discovery
Before undertaking data center consolidation or cloud migration, embark on a dark data discovery. This is data that offers low-value and unknown risk. Reducing the organization’s data footprint not only reduces security risk, but also reduces risk exposure to GDPR and other regulations. Look at data that resides across multiple data silos (i.e., file shares, databases, big data and cloud repositories.) Focus on vendors with a wide data repository support for all systems where sensitive data is stored.
Project 8: Security incident report
Security incidents require planning, preparedness and an adequate response. This project might focus on updating existing plans or completely reworking the response. Assess your current level of response and where the plan could be improved. Consider an incident response retainer from a provider that offers the flexibility needed to address proactive and reactive tasks.
Project 9: Container security
Developers are increasingly using Linux containers to push digital business capabilities through the development pipeline more quickly, but each of these containers must be screened for vulnerabilities and issues before being put into production. Container security must integrate with common developer tools and the CI/CD pipeline and be used with comprehensive APIs to support a variety of security tools.
Start by scanning for known vulnerabilities and configuration issues, and then extend that strategy to runtime production. More advanced solutions can build a detailed “bill of materials” for each container and compare that to what’s actually being used at runtime to recommend where libraries and code could be removed.
Project 10: Security rating services (SRS)
As digital ecosystems increase in complexity, so do security risks. In addition to internal security and risk, security and risk leaders must consider suppliers, regulators, customers, business partners and platforms. Leverage security rating services to provide real-time, low-cost continuous and independent scoring for your overall digital ecosystem. This should only be used as a supplement — it is not a full view, but these services are important innovations. Evaluate multiple vendors against your requirements and ensure that SRS is used as part of the selection criteria.