There is no silver bullet that can alleviate all of your information security woes. However, with all of the marketing hype surrounding security products, it’s easy to fall into the trap of believing that purchasing the latest and greatest shiny security product on the market will automatically make your company more secure.
Don’t get me wrong – there are a number of incredibly valuable security tools on the market, but companies need to invest in the configuration, tuning, and maintenance of tools to adequately integrate and receive value from the technology.
Why? Because security can’t be addressed with a tool, marked off a checklist, and forgotten. Security is a process that’s enabled by the tools, policies, procedures, and (importantly) people necessary to ward off would-be cyberattacks. When it comes to evaluating whether to purchase a new security tool for your environment, take some time to:
- Identify current functionality gaps in your environment and the criticality of this capability to your overall state of security. Performing a gap assessment can take some time in a large enterprise environment, but the effort is well worth it. Even if you decide not to move forward with new tools, at a minimum you will have a more robust understanding of the current state of your environment and may even identify soft spots that require focus going forward.
- Consider the risks associated with these gaps and weigh the potential security gains against the costs. Considerations in this exercise include whether the gap relates to a regulatory need, impacts a highly critical business function where an unidentified intrusion could be disastrous (e.g. monitoring systems at a nuclear power plant), or exists in an area where coverage could be considered industry best practice.
- Determine whether existing security tools in your environment can be configured, scaled, or upgraded to cover gap areas. This can be more cost-effective than bringing in an entirely new tool because you have an existing relationship with the vendor, the hardware is already allocated in most cases, and your staff is familiar with these existing tools.
- Moving forward with a purchase? Prioritize the integration of new elements into your security strategy. Rolling-out new tool-sets will potentially require a long lead time once implementation, configuration, tuning, and user training are factored in. They may also require updates to policies and procedures that are embedded in the way your team and the broader organization operate. Don’t bite off more than you can chew. Be guided by your priorities – protecting your most valuable assets from your highest risks.
Maintaining a robust toolkit is a critical component to meeting your information security objectives, but exercise a healthy amount of caution and skepticism when considering new tools. And when evaluating technology, ensure that it is appropriate for your environment and worth the capital outlay and time necessary to customize it to be effective.
Click here to learn more about Stroz Friedberg’s independent and vendor agnostic approach to cyber resilience