What are the main challenges in balancing a growing security architecture with emerging threats, while at the same time justifying ROI to the management?
There are at least two primary challenges to balancing a growing security architecture against emerging threats.
The first is that emerging threats are developed and deployed very rapidly, while almost any new element of the security architecture generally takes much longer to put in place, generating a window of risk where an emerging threat initially has no corresponding security component to address it.
The second is that new elements of the security architecture typically impact users and business processes in some manner. A practical example of this impact is a three-pronged security project that removes users from local administrative groups, requires password vaulting for all accounts with elevated privileges, and deploys application whitelisting in an effort to counteract the emerging threat of phishing attacks. Users, including server administrators accustomed to having local administrative privileges, must adapt to the new security environment. Likewise, some automated business processes that require accounts with elevated privileges must also be adapted to use the password vault. These changes have an impact on administrators and users that must be addressed in the planning phase of the architecture project.
Justifying ROI for information security can be a challenge. Information security is, in fact, a business problem, not an IT problem. The information security team should develop an information security strategy aligned with the company’s business imperatives and the various IT programs designed to support those business imperatives. A well-executed information security program should also deploy a security architecture that enables business focused outcomes (i.e. enabling the company to research and develop new products, to expand in existing markets or enter new ones, or to attract new customers) in secure ways.
But that is not enough. Because users are both the target of advanced attacks and the first line of defense, the information security strategy should include components designed to modify user’s behaviors, enable risk-aware behaviors and require risk-aware decision making, all while driving compliance with law and regulation. These are the components of the ROI calculus for information security.