Security Investment Questions and Considerations for CSOs

With so many security tools at different layers to address a multitude of evolving threats, deciding the right amount of investment and where that investment should be spent is no easy task for today’s CSO. For every technology investment decision, there are myriad of questions:

• What’s the expected impact on the team that has to implement and manage the solution? Does the team have the proper expertise or do they need to be trained, etc.?
• Does the technology fit in with what’s already in the security environment?And if implemented, what’s the most optimal place within the architecture so you get the biggest bang for your buck?
• What’s the right security investment mix? Software, hardware, training, cloud, etc.?
• Too often security is thought of as bolting on another technology, but it’s never that simple. What’s the impact on the business from a technology and process perspective? If you could re-architect your security infrastructure, what would you do differently?
• The list goes on and on, but you get the point…

Another investment consideration is to identify solutions that not only improve your organization’s security, but also can provide a hard ROI or cost savings. ROI for security is tough to demonstrate because it’s like life insurance… you keep paying for the policy, but hope you never have to cash in. However, security management can provide a real opportunity to demonstrate ROI because if operational efficiencies are gained, organizations can get more productivity out of those resources. Security change management is a perfect example of this – if an organization makes multiple changes per firewall per month, but through better security management can cut that in half, the ROI for that security change management solution is very strong. Other examples here would be reducing audit time and costs, how long it takes to provision security for critical applications and more.

In addition to improving security, are there security investments that can also help your IT group be more responsive to the dynamic needs of the business? The business now owns the risk so we can’t just look at security in a box, but it’s impact on the business – either positively or negatively.

The security market is constantly evolving… from new threats to new technological advances to new frameworks, etc. So with this in mind, future-proofing your security environment as best as possible is advised. The best approach is to stay abreast of innovation, understand how threats are changing, techniques that are being used and do everything you can to shore up gaps in your security infrastructure. Strategic investments should be made in dynamic technologies which are adaptable to the changing threat ecosystem – keeping them relevant as malware variations are developed. Process is an area that should be reviewed regularly to ensure all the checks and balances are in place and are both effective and efficient. For example, increasing the effectiveness of network security change processes, which prevent errors and misconfigurations, is key to ensure they do not become outdated as the threat ecosystem changes.

Despite the introduction of new and more potent threats, the fundamentals of good security posture remain the same, particularly around change control and configuration integrity. Additionally, you should think about how the sum of the investments can be greater than the parts – it’s not about a specific tool, but how technological advancements when paired with process and people with the right expertise provide a bigger return on both security and the organization’s bottom line.