Organizations of all shapes and sizes face a diverse and ever-changing security threat landscape. From targeted phishing attacks to sophisticated malware, many businesses lack the modern tools to meet this growing challenge.
Ask yourself: Are you using the right tools? Have you implemented the tools for success?
Some organizations still run perimeter-only security solutions or signature-based antivirus, while others have purchased but not effectively implemented newer tools like EDR for detection and response.
Some examples often heard include:
- “We’ve got a bunch of tools but no one maintains them”
- “We can’t get budget to buy any new security software”
- “We bought a security tool but never implemented it”
- “We’re still running signature based AV”
From my experience, security professionals and practitioners often focus too heavily on technical security problem, to the detriment of solving business problems. This article aims to give you some ideas on how to approach the process from evaluating your business needs, then selecting solutions and implementing them for success.
Getting the right security tools can be big undertaking, but the four steps below are a basic roadmap on how to proceed.
1. Know your enterprise
This first step is foundational; you must be aware of business and you organizations requirements before you can find the right solution.
What is your business?
- What is your industry? Are you regulated? Who are your customers? What do they expect of you?
- What’s most important to protect? What are the threats you face?
How does your organization handle security?
- Who are your security stakeholders? Do you have strong executive support?
- Who manages, operates and tests the security tools? (Who should?)
- What capabilities do you have with current tools? What are the gaps?
- Do have strong engineering and operations teams that can build and maintain a solution?
2. Write a clear and concise proposal
After you’ve considered your business drivers and stakeholders, draft a well written and easy to read proposal. This document must outline how the solution solves for a business problem (or problems). Write up “what we need and why we need it”. Consider an “elevator pitch” that explains your proposal in a brief but clear manner.
What are your business drivers for a solution? Consider these inputs:
- Show ROI (Return on Investment): For example, if you are regularly dealing with security incidents that cause loss of otherwise productive time, show that cost
- Do you have a compliance requirement? Is there a financial penalty or potential lose of business if you cannot meet them?
- Are you customers asking for or requiring certain controls as part of new contracts or renewals?
What obstacles might you encounter to your proposal?
- Some possible hurdles might include budget, timing, and resources
- Anticipate obstacles in advance and be prepared to counter with objective and subjective data supporting the value a solution will provide
3. Evaluate solutions (and vendors)
Now that you’re ready to start evaluating solutions, it’s important to develop objective criteria to define success. Draft a set of “must haves” and “nice to haves” for a solution. Here’s an example for considering an endpoint security tool:
Considerations:
Build vs. Buy
- Weigh the costs (including ongoing maintenance) of going with an off-the-shelf product vs building it in-house. If you did a good job with #1 (Know Your Enterprise), you can make an informed decision if this aligns with your organization’s strengths and priorities.
Open Source vs. Vendor Solution
- Open Source is often “free” in terms of software cost, but may require a lot of engineering and/or support to operate. Consider if this additional overhead might make open source costlier over time. Further, if the open source project is not is actively maintained, you might be out of luck for updates.
- With vendor solutions, be diligent to know what you’re getting and avoid relying too heavily on “roadmap” statements. If an an essential “must have” feature is not present today, you’re taking a big gamble on the vendor delivering it in future release. Also consider if the vendor is going be around for the long term.
Industry Research & Peer Input
- Do your research using credible analyst firms, and most importantly, talk to your peers!
Objective Testing
- The best way to learn about a solution is put it through a thorough evaluation. Conduct a well planned “proof of concept”
- Write a test plan and build a score matrix that maps to your use cases and objective criteria.
- During testing, maintain consistency of samples and methods to accurately measure.
- There are great resources out there for how to approach the testing, including this one titled “Out with the Old, In with the New: Replacing Traditional Antivirus”.
Example scorecard with a 1–5 scale:
4. Implementation and beyond
Once you’ve selected and begin implementing your new security tool, it’s critical to get the right stakeholders to align on delivery and responsibilities for the delivery and ongoing activities.
Before you call it “done”:
- Look back to your criteria and make sure you achieved your goals.
- Agree on roles and responsibilities by codifying a responsibilities matrix (aka RACI or RASCI)
Conduct a debrief with key stakeholders and capture the following:
- What went well? What didn’t go well? What could we do better next time?
As a final point, capture metrics and data to highlight the value of your new security tool. Bring visibility to your stakeholders (especially executives) and you’re likely to get their support for the next security challenge you face.
