I was in a meeting recently with the CISO of a Fortune 500 company as he was describing his organization’s 2012 plans for virtualized architecture roll-outs including, mergers, growth in their international operations and the rampant addition of cloud services — among other major network projects. Each of these projects individually creates major network and security architecture changes – the kinds of changes that can shatter operational performance and security policy compliance. Pile them together and you have a recipe for disaster, leading one to surmise this CISO has a stockpile of antacids on his desk.
When asked whether his information security team was going to grow in 2011 to help secure all these new initiatives, the wry answer was: “We get to do more with less.” Doing more with less seems to be a common trend in information security these days, so what’s a security leader to do when faced with the “do more with less” edict?
There are a few key steps that information security executives can take to get the most from their existing security infrastructure, while keeping a keen eye on their network security as they navigate major updates and changes to the network.
Show and tell
The first step is to gain an accurate picture of the network environment as it looks today, using tools that enable executive teams to see the network, visualize threats and quantify risks. By taking this step information security officers can reduce the chance of service disruptions or security breaches, automate network compliance audits and enhance visibility and oversight of the network management process.
Maximize current investments
Catalogue your current security controls and investments and ensure that they are being used accurately and consistently. For instance, ensure that all of your firewalls are configured properly and all critical vulnerabilities have been addressed. Deal with the known issues proactively to reduce the “what if” stress.
Manage ‘pre-attack’ instead of ‘post-attack’Once an accurate network topology is completed it must be checked regularly for security gaps and assessed for new threats so that action can be taken before it’s too late. Conducting this step regularly is critical for preventing security breaches, and let’s face it, nothing will send you over budget faster than a breach, and if it’s your responsibility to explain the expense and loss of brand to the board of directors, I hope you also have a supply of antacids on your desk.
Delegate routine security to IT operations
One way to ensure regular network security check ups are taking place is to link automated security management tools with operational processes, allowing the security team to bake routine security checks into every day processes. For example, setting up regular audits when configuring a firewall management system, with ticketed alerts to the team when a problem is flagged, saves the time and manpower wasted looking for the problem, ultimately saving time when a formal audit is necessary.
Last, but certainly not least, is to swap funds to more effective technologies, leading to reduced time spent on ‘routine’ tasks that can be automated, enabling them to be performed as often as needed with minimal management time. Avoidance of time wasters that have minimal impact on the security level of an organization is also critical to being able to successfully “do more with less.”
Ultimately it’s up to the C-level executives in an organization to make sure the network security strategy meets the needs of the business, because at the end of the day the topic isn’t just about network security – it’s about business security.