Readers' note: The below blog was authored by security expert Mike Gentile. His bio follows at bottom:
In our complex security landscape, many organizations acquire new security technologies to aid in protecting their business. While it is daunting enough finding the right technology to meet the many complex business needs involved, there is even more to consider when it comes to actually making any security technology a success.
So, here are some success tips to consider:
- Include capital and operational costs — Even the best car is useless without a driver. In information security, though, artificial intelligence (a self-driving capability for security technology) is getting closer. But you are still going to need someone at the wheel to drive your new security technologies to success. The best way to do this is to capture both the capital and ongoing operational costs for managing a security technology after it is implemented. I like to add the specific role, such as, say, security engineer, as well as how much headcount effort will be needed to manage the supporting processes for the new technology. This can only be forecasted well if tip number two (below) is acted on first … to develop supporting processes.
- Develop the supporting processes beforehand — Any security technology is going to automate process steps, but this is not the same as the process itself. This must be designed, and the earlier the better. For example, that new vulnerability assessment technology is not going to schedule the assessment with the business, get the scan through change control, check to make sure the target systems were not affected by a scan, manage the situation as if they were, and on and on. For any security technology purchase, make an inventory of which supporting processes need to be developed, then build them before, with adequate business rules, step-by-step procedures, and roles and responsibilities. To then ensure they are adequately resourced with your operational projections (per Tip Two), ensure you do this before the implementation of the technology.
- Get the vendor to share configuration tips — No one is going to understand how to best drive a Ferrari than someone from the Ferrari company. Specific to security, no one is going to understand the short-cuts and ins and outs of using the technology better than someone from that technology company.In my old GRC company, Delphiis (which offered a risk assessment technology), we used to do dedicated sessions with whomever was going to be operating the technology. They’d work with our engineers, who would show them all the best ways to use the tool. It always surprised me how many clients did not take us up on that offer, until later on, when we made it a requirement. We clearly saw that efficiency dramatically correlated to whether this step happened or not.During this period, it was also a great time to get free training, both on the technology and the specific domain the technology operates within. Our engineers at Delphiis (back in the day) saw hundreds of risk management programs firsthand. What a great free training resource.
- Leverage a security architect for global integration — Now, you may say, “We don’t have a security architect.” My answer to that is, if that is the case, then you should be looking at that capability or resource before purchasing any new security technologies. While vendors can help you with local configuration, they will not touch, at least generally not well, how this preventive or detective safeguard you are purchasing will integrate into your overall security architecture. Nor will they touch on how it will impact or influence the other safeguards in your environment. This is like only giving one player on your team a position and guidance, and expecting the team to play well together. That didn’t work even for Michael Jordan or Kobe Bryant.
- Integrate into your communication system — Whether it’s a preventive or detective security technology, both will collect or produce data that can be used in security program reporting. The common approach for this is to ask a vendor, and they will say, “Our technology integrates into a system log management system, you are good.” From the vendor, this is a fair answer, but this does not mean you are even close to integrating into a security program management system that can support the business in making informed decisions. Ensure that you design how you will use any data aggregation capability beforehand; what data you would like to acquire; and how this can enhance or improve your overall security program reporting.
Good luck in your security technology endeavors, and please let me know your feedback or ideas on other ways to help improve the success with implementing a security technology.
(Author's note: Mike Gentile has been building information security programs for more than 20 years. He has built more than 100-plus information security programs across every industry, and in both private and public sectors. His first book, "The CISO Handbook," was one of the first published works to provide a step-by-step methodical approach to building a security program. This methodology is used as courseware in many advanced teaching organizations on security leadership, and has been implemented in thousands of organizations globally. Follow him on Twitter.)