THANK YOU FOR SUBSCRIBING
The security technology landscape changes often and changes quickly. We all know threatsevolvedaily and often drive our approach for implementing and using new and existing technologies. These numerous options can quickly become daunting as we try to understand which ones to implement, which technologies work well together, and which ones duplicate functionality. Technology providers, of course, are eager to sell everything. However, it is simply not feasible based on industry, budget, ability to support, and a host of other considerations.
So, what can we do to help us sift through and prioritize which technologies work best for our organizations? There are best practicecapabilities we all leverage, such as firewalls, endpoint protection, data loss protection, etc. But beyond the standard “best practices” approach, how can you determine which ones to focus on?
Just like technologies, there is no shortage of models and frameworks that exist for managing a security program. Some support various regulatory and customer requirements that help guide us inbuilding the elements of a security program, such as NIST, ISO,GDPR, HITRUST, HIPAA, PCI-DSS, to name a few.And, then there are some recommended models, such as Zero Trust, MITRE, etc. These models can be specific to an aspect of security, like threat modeling oraccess management,or maybe broader in scope.
Regardless of what framework, model, or approach you use, leveraging these methods can help security leaders sift through the noise of sales calls, white papers, and lure of innovative technologies.
Mature and established frameworksmay not immediately adapt for the latest and greatest new products. Instead, they will go through a review process to evaluate newer technologies and determine which ones best meet the specific needs of organizations. This results in adherents becoming more risk focused versus becoming distracted by the latest hype regarding security needs and requirements.
And, as we consider models that have become highly recommended, though may not be required (i.e.., Zero Trust)there is no one prescribed technology, buta collection of products that work together to achieve a desired level of maturity. The advantage of these models is they are more concept based and can change as the technology changes. This allows the ability to adapt and mature as needed without trying to keep up with the latest and greatest capabilities, especially those that may not stay around for long.
“Regardless of what framework, model, or approach you use, leveraging these methods can help security leaders sift through the noise of sales calls, white papers, and lure of innovative technologies.”
A good example in the market today is Extended Detection and Response (XDR). XDRwas initially a conceptthat varied based on which vendor you followed and which research paper you read. It is interesting to watch the evolutionof new capabilities such as this as vendors and independent knowledge and research groups interpret them differently. As organizations in different industries beginimplementing new concepts, you may observe parts of the concept become a new standard while some become optional. As an example, XDRcapabilities may not necessarily be a framework requirement today, but the elements comprising XDRmay be, such as Endpoint Detection and Response (EDR).
In no way, however, am I suggesting you should not evaluate or implement new products and technologies until they become part of a particular framework. In fact, you may find they you need to leverage them toimmediately address specific concerns in your security technology landscape. However, I recommend caution when implementing an overabundance of innovative technologies that have not been vetted successfully across multiple industries or simply may not be required to achieve a desired state of security. It is with this in mind that frameworks and models can help security leaders develop an organized, strategic approach for implementing capabilitiesand leverage a risk-based mindset for prioritization and determination of need.
Frameworks can be slow to include newer technologies and approaches, especiallyto a level that allows an organization to keep pace with emerging threats. This is where it becomes imperative for each organization to evaluate whichmethod they choose to follow, and the scope with which they choose to implement it. But the advantage of a risk-based approach is you do not have to implement every capability to the highest level. While it may be desirable, it is not always achievable. Using a risk-based mentality allows us as security leaders to implement capabilities in support of organizational prioritiesthat align with the risk appetite.
As frameworks and models continue to evolve and incorporate new capabilities, they can provide a viable method to help organizations prioritize and focus their security efforts. These enable leaders to leverage an organized, risk-based approach to achieve the desired level of maturityfor the security program while meeting regulatory requirements for their specific industry. But security leaders should always maintain a watchful eye on the technology landscape and understand how those technologies can specifically address new threats or gaps in their program. If the new capability or technology solves an immediate problem, then the leaders, based on their organization’s risk appetite, can prioritize without waiting for the various frameworks and models to catch up.
Note: The views expressed herein are entirely my own and do not reflect the position of Arkansas Blue Cross Blue Shield.
(Devin Shirley has an extensive and varied career in managing and directing telecommunications, security, and IT assets in the military and in the private sector. He holds a bachelors degree from West Point and a masters degree from Oklahoma State University. Currently, he serves as Chief Information Security Officer for Arkansas Blue Cross and Blue Shield.)