There is nothing easy about security operations. In many cases, CISOs are confronted by an excessive number of manual processes, numerous disconnected tools, and a shortage of talent possessing the right skills. However, the increasing number of widely publicized breaches, the growing complexity of regulations pertaining to the protection of personal data, and the uptick in ransomware and doxware attacks have made members of upper management acutely aware of the dangers posed by inadequate security.
Therefore, executives have become more willing to approve spending on security operations. Unfortunately, the increased spending has often not provided the type of returns that CEOs and CFOs expect. As a result, CISOs are being asked to provide proof that the money spent — or that they are asking to be spent — will lead to greater effectiveness, more efficient operations, and better results when the organization is attacked.
If calculating the return on security investments could mirror predicted ROI for return on a new piece of equipment, the task would be simplified. However, security operations represent both tangible and intangible benefits, complicating the issue. For example, if the goal is to decide whether automation would improve incident response, it is relatively easy to measure the ROI in terms of wages. It is less straightforward to quantify the benefits of potentially lowering employee turnover rates, boosting employee productivity, or reducing the stress levels of security analysts.
Assigning a dollar value to a company's reputation, stockholder perception, or customer confidence can be tricky as well. Fortunately, when it comes to enhancing security operations while also increasing ROI, there are some steps that CISOs can take to achieve their goals. Consider following these 10 best practices:
Articulate the Purpose
First, it is important to articulate the security investment’s purpose clearly, provide a clear understanding of what will be accomplished, and why the accomplishments are important. This helps decision makers discern whether the proposed initiative will be worth the money, time and effort that is being proposed. Securing the support of non-technical C-suite executives by clearly articulating the goals of the initiative can help ensure success.
Dovetail With Other Projects
Second, look for opportunities to enhance security operations as an add-on to other projects. For example, if the IT department is planning to upgrade the network to support VoIP, see if the project to upgrade the security network could be performed as an add-on to the IT project. This reduces the cost — compared to having two separate projects — and increases the ROI on both projects. Naturally, security risks may make it impossible to delay a project, but unless the need is immediate, incremental additions to other planned projects are often feasible.
Automate and Orchestrate
Third, strive for security orchestration and process automation. The current threat landscape is vast, complex, and constantly changing. Even a well-staffed SOC cannot keep pace with the number of alerts, especially with the ever-increasing number of duplicates and false positives. Use automation for threat hunting, investigations, and other repetitive tasks that consume too much of the analysts' time.
Create Integration Plan
Fourth, create a SOAPA (security operations and analytics performance architecture) integration plan. Consolidate security technologies, reduce the number of vendors, and build a platform that unifies the tools for detection and response across a common platform architecture.
IT and Security Synergy
Fifth, tear down the walls between IT and security operations. Many times, IT and security teams are pursuing different goals and using diverse tools to fulfill their missions. Improve collaborative efforts - such as using SOAPA - to enable data sharing, task prioritization, and process automation.
Sixth, adopt advanced analytics. Machine learning and artificial intelligence are delivering truly innovative solutions. CISOs need to research these two fields carefully to determine the analytics tools that are the best fits for their organizations, taking into account the company's strengths and weaknesses when it comes to skills, personnel, and risks.
Seventh, be willing to take small steps whenever necessary. Instead of insisting on an "all or nothing" approach, consider pilot projects to prove the benefits and costs associated with an initiative.
Go Beyond Compliance
Eighth, be able to communicate the difference between compliance and security. Too often, CEOs and other decision makers believe that the organization is secure if it is in compliance with industry regulations. However, regulations change frequently to react to new threats. When new regulations are written, it may be several months before organizations must comply with them. In the meantime, organizations can be in full compliance, but they can still be vulnerable to attacks.
Ninth, honesty is always the best policy. CISOs who oversell a new technology, for example, and then discover that it is more expensive and less effective than expected, risk having their credibility challenged in the future.
Measure and Course-correct
Tenth, Make sure to put the right metrics in place to measure progress. Based on metrics, periodically make changes to the strategy or continue on the course. This will make sure that you are creating a feedback loop for all cyber security strategies.
In today's world, implementing security initiatives is often tough. Justifying these initiatives in terms of dollars and cents can be just as challenging. However, by following the above top best practices, CISOs can make significant progress toward fulfilling their goals for security operations.
For more cybersecurity content, you can subscribe to email updates from Demisto below.