Check out Javvad Malik, Security Evangelist of AlienVault’s thoughts on the Infosec Buying Game.
As a CISO with your finger on the (purchasing) button, how do you get the most bang for your buck? Actually, I’ll rephrase. How do you ensure that whatever you spend your (often meagre) budget isn’t wasted?
It’s something I’ve been thinking about recently, after a tweet from CISO and Southern Fried Security podcast host, Martin Fisher, popped up in my timeline.
Fisher said: “The question shouldn’t be “what tech should a CISO buy” but “what capability should a CISO build”. Tech first yields awful results. Always.”
It’s an interesting perspective, if not a little provocative.
But it’s also one I happen to agree with. During my career, I’ve witness plenty of C-Suite get caught up in industry hype cycles, only to drop thousands of pounds on software and appliances that they don’t need, and probably don’t understand. It seems that purchasing decisions are often made based on who has the best pitch, rather than a sober and informed discussion about the requirements of the business.
So, how do you have that sober and informed discussion? I like to break this up into three questions:
- What capabilities are you building? “More security” is not an acceptable answer. Be specific with your security goals.
- What are you defending? Any technology acquisitions should have a laser-like focus on protecting the things you already own, or the things you’re about to invest in.
- What do you want to accomplish? This one sounds obvious, but it’s worth taking a moment to think about the outcomes you desire. Again, “more security” is not an acceptable answer.
When it comes to the first question, I think you must change your mindset. When you invest in threat intelligence, don’t think of it as “buying a new threat intelligence system.” You’re empowering your staff with the ability to identify and perceive potential threats, long before they start knocking on your firewall.
Figuring out what you’re defending can be hard, especially if you’re responsible for a large company, with a sprawling IT infrastructure. At that point, it’s worth ripping off the plaster, and doing an inventory of all your digital assets.
And then actually manage that inventory – or at least keep a handle on what are business critical assets.
The advantage of doing an asset inventory is that you get a birds-eye view of your data, processes, and systems. So, should the worst happen, you’re well-placed to prioritise and respond to the threat.
Finally, let’s talk about outcomes. If you invest time and money into your security infrastructure without actually thinking about what you want to accomplish, you end up with… Well… A mess.
You end up with an inefficient, bloated mess that’s hard to manage, and has little-to-no cohesion between the systems you’ve already got. Honestly, you might as well throw your money down the drain. Or better yet, give it to me.
For any purchase, you should ask if this product is simple to use and deploy, and solves multiple desired outcomes in one go. If yes, it’s probably worth buying. Otherwise, take that toy out of your trolley, and put it back on the shelf.
The challenge CISOs face isn’t an informational one, in my view. They’re the CISO. They should have no difficulty in taking a sober, evidence-driven approach to the security purchasing needs of the company. Rather, it’s about convincing other senior management and executives on the value of this approach.
It’s extremely difficult to convince people – not just C-suites, but anyone – that there are no quick fixes in life. There are no panaceas. “Strategy over technology,” is a hard pitch to make.
There’s a brilliant Seth Godin blog post that says this far more succinctly than I ever could, but if you’re a CISO and people don’t buy into what you say, then that’s your fault, not theirs. Ultimately, it’s your responsibility to make a case for a sober, sensible, cautious, and long-sighted purchasing strategy.
AlienVault, stand G65, Infosecurity Europe 2017