Cybersecurity leaders are looking to make strategic and sustainable investment in 2022. Ones which will not just protect the organisation against threats, but also support collaboration and innovation. Read this two-part article series to find out exactly how to get maximum value out of your investments.
The business world has recently been abuzz with excitement and activity. Companies are merging, acquiring and growing at an unprecedented pace. CFOs are expecting and planning for a record surge in investment. Citrix boldly names this period “The Era of Hyper-Innovation”. But amid all this excitement, security leaders are facing serious questions about:
- How to ensure security in this new mode of enterprise operations
- How to get the most out of their cybersecurity investment
Rightly so. The alphabet soup of SIEM tools is not delivering on its promises, and CIOs and CISOs are facing a tough balancing act between wanting to secure the attack surface and having to justify the need for yet another investment to the board.
In this first article of the two-part series, we explore 10 important questions that you need to ask yourself before you invest in a new tool. These questions will help you unravel some of the complexities around decision-making and put you and your team in a better position to reap the rewards.
1. Is Your Investment Sustainable?
The temptation to invest in the latest and greatest technology, with its promise of complete protection, is irresistible. But a good security consultant will ask you, “why?” Is your enterprise ready for the new investment/technology? Does it need the level of security you desire?
A bank and a retail shop with just an ecommerce website does not have the same security needs, nor the same budget and resources.
Some important questions of viability should be asked early on. Do you have the resources necessary to train your teams in the new tool? Does your operation need to change to benefit from the capabilities of the tool? Are there non-monetary ways of achieving your security goals? Will your SOC (and board) be able to wait while the new tool breaks in? Finally, have you set realistic expectations?
Play devil’s advocate before you bring a proposal anywhere near the board. A sustainable investment will account for your existing operations, resources, team capabilities, tech-stack, network maturity, budget, and deadline.
2. Are Your Network Operations Mature?
SIEM tools are only as good as the maturity of your network operations. Security tools implemented in an ecosystem of conflicting systems and overlapping processes deluge your SOC teams with low quality alerts. Such implementations often lead to a breakdown of relationship between vendor and clients. The projects are canned. Who was wrong? Technically, no one was. The network was simply not ready.
3. Are Your Tools Fully Implemented?
Full implementation of security tools over complex networks takes anywhere from a few weeks to several months. It’s a frustrating experience for cybersecurity leaders who want to prove the value of their investment to the board immediately. This pressure translates to slapdash implementation, with many gaps in configurations. Perhaps not all the endpoints are fully connected. Maybe your rules are not set up to fully account for the environment. All of this culminates in a suboptimal performance and aborted project.
4. Are Your Teams Fully Trained & Invested in the Project?
The investment is sustainable. Check. The network is ready. Check. Tools are fully implemented. Check. Yet, your investment is failing. Here’s where the “people” aspect comes in.
SIEM implementations are complex, time-consuming, and require the co-operation of many different parts of the organisation. Politicking within or across departments can derail projects. Clear roles, boundaries and responsibilities are vital for success.
Take steps to get buy-in from not just your immediate team, but from other relevant departments. Create awareness among the wider organisation as to why the tool is not just useful, but essential. Tell them how it will make their lives easier.
5. Have You Allocated Enough Resource to Monitor and Manage Tools?
Okay, you’ve gotten enough people excited about this new tool. Everything is going as planned. A few months down the line, you realise something’s amiss. There are a lot of alerts and not enough people to monitor and weed out the bad ones and act on the right ones.
Even the best SIEM tool needs a skilled team to make sense of the alerts and not enough talent is now a constant complaint on the lips of tech leaders. In response, many companies have responded by increasing budgets for retraining and upskilling their teams, rather simply recruiting more people.
Here’s a tip from us: if your team runs itself for more than 3 months without a manager, you shouldn’t be recruiting. You should be promoting from within.
6. Have You Allocated Enough Time to Optimise & Reintegrate Tools?
Next step. Your SIEM tool seems to be working well. All hands are on deck. Another few months down the line, you hit a bump. You patched or modified a system and just like that your tool has gone awry. What went wrong? Your team has not reintegrated the tool with the rest of the network. So, have you embedded your SIEM team into your operational workflow? Allowing them to influence design and architecture can help you keep your SIEM journey smooth and seamless.
7. Have You Made Enough Room for Automation?
Even the most basic SIEM tool has some automation capability. If your SOC operation remains heavily dependent on human intervention, neither your team nor your tool can achieve their true potential. So, have you integrated your new tool with your existing tech-stack and made room for automation and high-quality alerts? This allows your SIEM to mature and produce better results over time.
8. Is Your SIEM Scalable & Flexible?
When the business grows, your SIEM tool needs to be able accommodate that growth without bursting at the seams (pun intended). This is especially true in a hybrid world where the network is constantly enlarging and evolving along with the attack surface. Will your tool be able to handle a sudden surge in the number of logs? Can your rules accommodate such dramatic changes?
Assign someone the role of monitoring the rules and keeping them relevant. This will ensure that SIEM tool evolves in lockstep with your ecosystem.
9. Are Your Logs Standardised and Stored Centrally
Logs are the lifeblood of SIEMs. Knowing what to collect and, more importantly, where and in what format to store them is critical, especially in larger organisations. Make sure that all the critical logs are being collected, stored in an accessible location, and made available to analysts.
10. What Other Technologies Can You Leverage?
Finally, you’re now ready to start thinking about investing in technologies such as AI and Machine Learning. Static rules and signatures cannot give your teams the kind of insight into data trends that will allow them to be proactive in their work. But at least now you know, you have exhausted all other means and you’re ready for the next step. But a cautious approach is still recommended. Do you have all the data resources ready to benefit from your new investment?
You have now answered some of the most important questions in creating a sustainable cybersecurity investment. But there’s more. In the next part, we’ll touch upon the tried-and-true practices from the leaders in the business that you can use to get the most value out of that investment.
Read the next part here.
WANT TO FIND OUT MORE?
If you would like to keep track of the latest changes in cybersecurity, visit our innovator Akamai’s portal page, where you’ll find more news articles, analysis, and original content.