Whether you've been assigned to build a security operation from scratch or take over an existing operation, you'll need a clear strategy. While this may sound obvious, you’d be surprised how many security operations fail because they have no plan. All organizations are different, so no one blueprint exists on how to build and implement an effective data security program, but I've picked up a few steps over the years that can help you get started.
First things first, know your organization. To plan a realistic security program that gets approval from management, you need to consider how management likes to operate.
OpEx vs. CapEx
Some organizations prefer a monthly payment rather than a discounted annual fee. Others don't have cash flow challenges and prefer to do three-year deals to save on the total cost and translate subscription modules to CapEx. An example of how this directly affects your security program: The balance between the number of security tools and the team size needed to maintain SaaS vs. a software license. Other examples include best of breed vs. all-in-one security platforms and cloud strategy options.
People vs. Technology
The expectation is we'll build our operation as efficiently as possible, which means it’s good whenever technology can do a job instead of a human being. As long as your organization operates well like this, it’s the right approach. Just make sure you don't wind up with 20 different security technologies and not enough people to maintain them. From all the mistakes I’ve seen over the years, the illusion of having security via a heap of technologies is the worst one.
Related Article: How Much Information Security Is Enough?
Know Your Data
The most important thing to protect in your organization is your data. If you can hack into my server, network, endpoint or mobile and don’t have access to my data, I'm protected.
Before implementing any security measure, you should gain full visibility of where and how you process data. It needs to be complete and up-to-date. You can't rely on manual mapping based on the organization’s knowledge, or on the point-in-time mapping of sensitive data. You should own proper discovery tools that give you control of any copy that has been created, regardless of the format or the way it's been transferred between the different network elements as part of the processing flow. You also must make sure that whatever discovery tool you use can map your data assets for you.
Choose the Right Security Tools
Generally, it's easier to buy tools than to find the resources to maintain them. Try to find solutions that can aggregate several layers of security or visibility. They should be as automated and configuration-free as possible. Based on your organizational needs, choose two best of breed solutions, one for the perimeter and one for internal uses. Put in dedicated teams to maintain them in as detailed a way as possible. It will pay off in the moment of truth.
Related Article: Finding the Signal in the Noise in the Security World
Every good security program needs a security operation center (SOC) and incident response processes. But remember, we are not a BI center — we are security experts. Sending an endless amount of log lines to your security information and event management (SIEM) solution and expecting your team to cover all cases based on roles won't work. You need to expect your security tools to give you the bottom line in one line, such as “there is an APT attack on you and here are all the details you need.”
Moving the process of role-building from the SIEM to the security tools without a machine learning engine that can cover things you hadn't thought about won't work either. Ask for proof from your vendors of the existence of capable AI modules. In most cases, I find even the big players talk about machine learning but when you go to details, it's only a set of predefined roles that rely on keywords and regex.
Keep in mind the cloud is also your responsibility. Choose your cloud strategy very carefully since it may limit what you can do with your budget. Good solutions are out there, but many do not scale with your organization from a capability and cost standpoint.
Choose your team wisely, too. You're the boss, but you need them for implementation. If your strategy is not clear to them or they don't believe in it, you will fail. You need to sell the plan to your team as passionately as you do to your managers. They need to understand the logic behind it and feel ownership in building it.
Finally, don't try to do it all at once. In most cases, the fastest path is step-by-step. Always remember certain processes will need to mature over time. Putting more resources will not always speed the implementation, it will just cost more.