Neil Wynne, a senior research analyst with Gartner, offers some advice to midmarket CIOs dealing with the challenge of limited security budgets, a scarcity of skilled security professionals, and limited data protection and monitoring for cloud workloads.
Numbers don’t lie. Total IT security spending per employee has grown from $502 in 2014 to $1,063 in 2017, according to Gartner’s “IT Key Metrics Data 2018: Key IT Security Measures” report released in December 2017.
And yet, according to Gartner senior research analyst Neil Wynne, we’re seeing more breaches than ever before. Yahoo, Equifax, eBay, the city of Atlanta, Anthem, Blue Cross and Blue Shield incidents impacted nearly 3.5 billion individuals.
Even though those organizations all have chief information security officers and large security teams, security breaches put names, email addresses, dates of birth, telephone numbers, encrypted passwords, Social Security numbers, and health information at risk.
Wynne talked about the unique security challenges facing the midmarket at the Midsize Enterprise Summit Spring 2018 event in Orlando.
He posed two questions to the audience at the start of his presentation:
· When is “good enough” good enough?
· How can my organization maintain and incrementally enhance its security posture without breaking the bank?
“Good enough” security isn’t good enough
The notion of “good enough” security is really a double-edged sword, according to Wynne – not reaching “good enough” exposes enterprises to unacceptable risk levels, yet exceeding “good enough” hurts various aspects of business, including budget, IT staff and users.
Indeed, “good enough” security is really different for everyone and is based on your risk profile. It also changes as your IT environment changes.
Wynne recommends establishing an acceptable risk level, which cannot be “zero” or else the business stops. “Making unilateral decisions on security and accepting risk on behalf of the business isn’t part of your job.”
Best of need vs. best of breed
As threats become well-known and the technologies to protect against them mature, Wynne said the management of protection solutions should be operationalized.
As the transition takes place, it often makes sense to take advantage of a converged security platform (whether it’s network-based or host-based doesn’t matter) that’s already providing other types of protection capabilities, even if the incumbent vendor doesn’t provide the “best” possible protection offering for each threat.
Over time, Wynne said “best of breed” is displaced by “best of need,” where your needs not only include appropriate levels of security protection, but also:
· Reduced number of agents
· Reduced number of consoles
· Reduced complexity and subsequent reduction in costs
One example of this shift is anti-spyware, Wynne said. Some organizations needed to quickly purchase tactical, anti-spyware solutions to deal with imminent threats. Other organizations waited.
Eventually, the incumbent antivirus providers responded and delivered their own anti-spyware solutions, typically as part of their converged desktop protection clients. Wynne predicts that early adopters of point solutions will consider switching once the anti-spyware capabilities get to the point where they are “good enough” to satisfy their organizations’ requirements.
“I hear from clients that they have the budget to buy stuff, but they don’t have the people to manage it,” Wynne said.
Threats evolve, so does protection
Wynne showed a graphic with concentric circles that included an outermost attack protection layer, an inner access protection layer, and then policy in the middle.
“Midsize enterprises are overinvested in prevention, and they’re never going to prevent everything,” Wynne said. “There’s no such thing as perfect protection. You really need to start investing in response.”
The good, the bad, the reality
Wynne outlined a list of 12 security “worst practices” that midsized enterprises should avoid:
· Shiny new object syndrome
· Culture of no
· Insufficient focus on users and business requirements
· Defense with inadequate depth
· Organizational misalignment
· Suboptimal branch architecture
· Security blind spots
· Uncoordinated policy management
· Noncompetitive vendor selections
· Hazardous network segmentation
· Inadequate end-user education
· Inadequate security event management
“Even if you need the technology, I would argue there are some vendors that are a better fit for the midmarket,” Wynne said. “Name a technology and I can name vendors that are a better fit than some of the mega vendors.”
He also offered a list of “simple things” in security that midsized enterprises must execute on:
· Vulnerability management
· Internal network segmentation
· Central log management
· Application whitelisting
· Identity and access management
· DNS filtering/monitoring
· Good systems administration
· System hardening
“You have to make the assumption that you’re already compromised. You have to think either you are already compromised, or you will be,” Wynne said. “A lot of this stuff isn’t security. It isn’t shiny object stuff, but it must get done.”
Wynne added that he actually has a much longer list of “simple things,” but “Notice there is no ‘advanced persistent…’ or ‘machine learning’ in here.”
And to the question of why organizations aren’t already performing these best practices, Wynne said, “Patching is hard. Way harder than a lot of security folks think it is.”
Indeed, midsized enterprises are in the unique position of having more vulnerabilities identified than resources available to remediate them. “When you have 100 things to fix, but can only do 10, you’re not going to get to all of them.”
Unfortunately, “It’s an issue of systemic neglect in some cases or it’s just not ‘cool’ enough in others,” Wynne said. “Most marketing and vendors also aren’t focused here. Despite their effectiveness, these things are often at the cheaper end of the scale in vendor price lists and end user budgets.”
Distinguish “nice to have” from “need to have”
There are plenty of security products and systems you can purchase to keep the bad guys out (threat-facing technologies such as firewall as a service, network sandboxing, and security information and event management) while letting the good guys in (identity and access management technologies like cloud multifactor authentication).
“Figure out what your most critical data assets are, and fashion your data controls around them, but remember, not all data needs to be protected. Make sure you allow your employees to be productive, but also that you have controls in place.”