How Mature is your Organization’s Security Program?
Perimeter defense is dead since there is no longer a perimeter. An organization’s data exists everywhere, on premise, in the cloud, and on multiple devices. Availability of data to be accessed from anywhere, any device and any location in the world, allows for maximum productivity, enables business to be conducted from anywhere, and improves customer satisfaction. However, the same data availability has also opened a Pandora’s box of security and privacy issues, increasing the likelihood of sensitive data to be accessed by unauthorized users and entities. The proliferation and distribution of data has increased the complexity of data security. The threat surface is so broad. An intruder only needs to find one security hole, obtain a privileged user’s credentials, and navigate an organization’s internal network to get access to sensitive data. The defense of the data itself needs to be strong in order to fight against such potential breaches.
While most security practitioners know that network defense is only a deterrence measure and we should focus more on securing the data, yet how many percent of an organization’s budget is allocated for network, endpoint, and data security? Most organizations today still allocate a larger percentage of their security budget to network and endpoint protection. Part of the reason is while network and endpoint security is the responsibility of IT and the information security team, data security is the responsibility of the business and data owner. Awareness of data security requirements among data owners is still very immature. With shared responsibility between IT, the business, the legal, and compliance team means lack of ownership and a single point of accountability.
Given that it’s 100 times easier to find a security hole than to patch all of them, data breach is not a matter of if but when. With this reality, security best practices recommend focusing more on detection and remediation, than on prevention and protection, to prepare for the eventuality of breach. Yet most organizations top security spend is still protection and prevention according to SANS 2016 Survey report on IT Security Spends, with the second largest allocation to detection and remediation.
Why do you think that is? Some reasons are:
- Prevention is still necessary. Multiple layers of security do help to at least deter or slow down a breach.
- Continuous monitoring requires discipline and vigilance. Monitoring may also impact systems operations and performance. The most sensitive data is also likely to be in mission critical applications that require high performance and can’t tolerate any disruption.
- Detection is as good as its accuracy. Too many false positives is like crying wolf and may result in alerts being ignored, not to mention that there is not enough security operations staff to monitor, decipher, and investigate those alerts.
- Accurate detection is also likely to be very expensive which means organizations need to pick and choose the most critical systems to monitor.
Survey respondent to SANS 2016 report cites protection of sensitive data as the top driver for their IT security spend. Still, more focus is needed among security teams and data owners to improve the maturity of their organization’s data security posture and increase their monitoring and breach detection around sensitive data. More collaboration is also required between IT, the security team, and the business to ensure sensitive data is secured properly. Before collaboration can happen though, more awareness is required across data owners and various functional teams who handle data.
How mature is your organization’s security posture? Tell us how you define your security strategy and allocate your security budget.