®2019 IDG Communications, Inc.
Security Innovation:
3 Steps to Success
Your security perimeter is shifting, increasing vulnerability and risk. To keep pace, CISOs need to innovate their approach. Here’s how.
Watch the Video
THE
INNOVATOR’S
GUIDE TO
CLOUD-BASED SECURITY
Keeping pace with a rapidly shifting threat landscape – and a growing skills gap – requires a fresh approach
Read e-Book
Make the Most Out of Your In-house Security Talent
You have the right talent – but is that enough?
How to Turn Cloud-based Security into an Asset
4 tips for making the most of the cloud to improve security and reduce risk
Agility at Scale: 3 Keys to a Successful Cybersecurity Strategy
If you were creating an InfoSec strategy from scratch, where would you start?
Learn More
Infographic
Infographic
Crowdsource Article
Cybersecurity Word Association
We asked leading security executives what comes to mind when they hear some of the industry’s latest buzzwords. Here’s what they had to say.
Watch the Video
Learn More
Read Article
VIDEO
Scroll down
VIDEO
Security Innovation: Addressing the
Skills Gap
The cybersecurity skills shortage is growing. Hear what CISOs recommend about the best ways to adapt.
Watch the Video
VIDEO
3 Core Components of Zero Trust Security
Interest in Zero Trust security is growing, but you need the right foundation to implement a Zero Trust model. Here’s a good starting point.
Watch the Video
VIDEO
How to Empower Your Security Operations
with AI
Follow the story of a small security team as they put AI to work protecting their organization
CISO Essentials
Learn More
How to Turn Employees into Your Greatest Security Strength
Strengthening employees as your front line against cyber threats is an ongoing effort
Learn More
CISO Essentials
10 Tips for Enabling Zero Trust Security
Getting to a Zero Trust model can take years of effort; here’s how to make the journey a smooth one.
Learn More
eBook
Microsoft Security Intelligence Report
The latest analysis and key findings from Microsoft research and observations
Learn More
Report
How to Optimize Recruiting While Strengthening Cybersecurity
It’s time to think creatively about who and how you hire for your cybersecurity team
CISO Essentials
Read Article
Additional Resources
Zero Trust Model
Cybersecurity Word Association
Cyber Skills Shortage
Security Innovation:
3 Steps to Success
and empower your team
Find out more
Protect your time
Protect
and empower
Sponsored content
CSO Privacy Policy
Cookie Policy
California: Do Not Sell My Personal Info
4 Security Imperatives for Uncertain Times
Advice from security leaders for staying a step ahead
eBook
Read eBook
Agility at Scale:
Cybersecurity issues and prominent data breaches continue to grab headlines, yet too many companies continue to struggle when it comes to formulating and executing an InfoSec strategy that can deliver the proper protections and mitigate enterprise risk.
According to IDG’s 2018 Security Priorities survey, large and small organizations alike still have plenty of work to do to establish a robust cybersecurity foundation. The study found 44% of respondents still lack an overall information security strategy, while nearly half (48%) don’t have an official security awareness program.
Those are not ideal starting points, given the rapidly evolving threat landscape. Emerging technologies such as the Internet of Things dramatically expand potential attack points, increasing uncertainty and complexity.
With the ground shifting under the feet of security teams, we asked a group of cybersecurity experts across the IDG Influencer Network: If you were creating an InfoSec strategy from scratch, where would you start?
With the ground shifting under the feet of security teams, we asked a group of cybersecurity experts across the IDG Influencer Network: If you were creating an InfoSec strategy from scratch, where would you start?
Of course, only startups have the luxury of crafting security strategy from a blank slate. But we think it’s helpful for security teams to take a step back and consider the possibilities for their security operations beyond daily fire-fighting activities. A broader view, unencumbered by existing realities and constraints, could spur some innovative thinking about ways to address the complex world of cybersecurity.
Here are the top three priorities that emerged from the responses.
by Beth Stackpole
Lorem tore v
eri tatis et quasi archi te cto be.
“A robust Zero Trust strategy considers the full context of the session to determine its overall risk: the identity of the user plus the state of their device, the apps they’re using, and the sensitivity of the data they’re trying to access,” Microsoft’s Alex Weinert wrote in a recent blog post. “It then applies holistic policies that define when to allow, block, or restrict access, or control it by requiring additional authentication challenges such as [multi-factor authentication], limiting functionality such as downloads, or applying compliance controls such as terms of use.”
Regardless of the model deployed, experts stress that continuous testing, supported by a combination of machine learning and human analysis, is critical to keeping the organization safe amidst constantly evolving threats.
“Security should have a combination of automated safeguards with continual oversight from a team managing the data,” notes Joe Martin (@joeDmarti), general manager and vice president of marketing and strategy at CloudApp. “Ongoing cyber-risk assessments, penetration testing, and a test plan should there be a breach are things that need a continual focus.”
Taking that long view is critical to understanding and prioritizing business objectives and related security needs over the course of the next three to five years, says George Gerchow (@georgegerchow), chief security officer at Sumo Logic. “In InfoSec, we often look at what is right in front of us instead of what is to come,” Gerchow cautions. “To truly provide guardrails that minimize the risks to an organization, you need strategic alignment, flexibility, and agility to execute a program at scale.”
Proper resource allocation plays a key role. “Always make sure you have the adequate personnel, budget and even interest to go ahead with [cybersecurity strategy],” says Phil Siarri (@philsiarri), market researcher and founder of Nuadox. Siarri cited an ISACA study estimating that information security and risk management budgets typically constitute about 7% to 10% of the overall IT budget. Factoring in compliance-related practices, the InfoSec slice of the IT budget rises to 10% to 13%.
Security budgets do appear to be trending in the right direction. IDG’s Security Priorities survey found that 52% of organizations plan to increase security spending in the year ahead. Budgets are expected to rise 13% on average.
Addressing the cybersecurity threat has become a team sport, requiring new levels of collaboration among security, IT, line-of-business functions, and executive leadership. In IDG’s 2019 State of the CIO study, 64% of respondents said security was an integral part of IT strategy, up from 54% in 2018. Enlisting buy-in from top management provides even broader cover for InfoSec initiatives; in the IDG Security Priorities study, support from corporate leadership was the top factor cited in helping security teams influence other parts of the business.
Solidifying buy-in and resource commitment from corporate leadership is a critical step in crafting a truly effective strategy—“not one that operates solely in the silo of the security department,” says Diana Nolting ( @diananolting), director of products at Anvl. For example, she says, “security needs to be proactively considered and baked into each product feature as you build it within your product; too many companies try to bolt security on later or think a feature can bypass that step altogether, which places your customers and your company at an unacceptable risk.”
All of this planning should happen proactively, not reactively. “When security is treated as an afterthought, it can become a roadblock to effectively growing your business,” says Schober. “Get out in front of the problems before they become untenable.”
1. Get a clear picture.
2. Align and commit with the business.
To learn more about how cloud-powered, intelligent security solutions can help you protect users, data, and everything in between, check out Microsoft’s security resources page, including Part 1 and Part 2 of the CISO Spotlight Series featuring Microsoft CISO Bret Arsenault.
Lorem tore v
eri tatis et quasi archi te cto be.
Share this article
Lorem ipsum folour sit
3 Keys to a Successful
Cybersecurity Strategy
Rather than taking a piecemeal approach to cybersecurity, experts suggest an important starting point is understanding the full nature of the data landscape and the roles that different data types play across the business.
“Not all information is created equally—although it all needs protecting, some needs more protection than others, especially if you are in a regulated industry,” notes Jack Gold (@jckgld), president and principal analyst at J. Gold Associates LLC. “You need to do an information assessment to see what needs protecting and then build a strategy around the different levels of protection based on the data type.”
Identifying the data and assets that need protection is a core component of a broader security risk assessment that will help you to pinpoint vulnerabilities and the potential business impact, according to Robert Siciliano, security awareness expert and CEO of Safr.Me (@RobertSiciliano). “The strategic plan needs to fill the gaps [to move] the company's current state of security to where it needs to be to maintain a robust state,” he says.
Increasingly, organizations are exploring how a “Zero Trust” model can help them to reach that robust state. The Zero Trust concept, CSO’s Mary Pratt writes, is based “on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.” While just 23% of organizations in IDG’s Security Priorities study are piloting or have deployed a Zero Trust architecture, 42% say they have it on their radar or are actively researching it.
Individual accountability is also important when laying out a strategic plan. “Be sure each team member knows their responsibility and also understands their accountability to the rest of the team. Success is achieved by implementing clear goals with milestones,” says Scott Schober (@ScottBVS), president and CEO of Berkeley Varitronics Systems Inc.
Embracing a holistic user security strategy that spans both awareness and monitoring should be a top priority, according to Will Kelly (@willkelly), senior technical writer and content strategist. “All too often, the greatest risk is overlooked—the one that walks out the door at the end of each day,” says Bill Mew (@BillMew), CEO of CrisisTeam. “The insider threat massively outweighs any other.”
In addition to identity and access management capabilities to protect against malicious insider incidents, organizations need to make investments in employee training and education. Establishing a “digital ethics-oriented” culture, which places value on clients’ data can ensure a company is less likely to suffer a data breach and that it will be quicker to respond and recover in the wake of an intrusion, Mew says.
One way to drive awareness and promote security process visibility is to bring in a partner to help with assessment and training. “They can find and lock down your crown jewels and educate your employees on the procedural changes and why they’re important,” says Tricia A. Howard (@TriciaKicksSaaS), Senior Regional Sales Manager, HolistiCyber. “The higher the adoption rate, the more successful your program will be.”
3. Make everyone accountable.
2018 Security Priorities survey,
(@jckgld)
(@RobertSiciliano)
“Zero Trust”
blog post
(@joeDmarti),
(@georgegerchow),
(@philsiarri),
2019 State of the CIO study,
(@diananolting),
(@ScottBVS),
(@willkelly),
(@BillMew),
Part 1
Part 2
security resources
(@TriciaKicksSaaS),
page
CloudApp
Sponsored content
CSO Privacy Policy
Cookie Policy
California: Do Not Sell My Personal Info
