InfoSec, like any other aspect of IT, is a matter of three factors coming together: people, process and technology. All of these factors cost time and money in some way.
The truth is, there are very few organizations out there who can supply their own security programs, staff, technology, processes and everything needed for InfoSec to an efficient degree. Everyone has to compromise in some way.
This is where the “Security Poverty Line” comes into play. Before I get into more details on exactly what that is, I need to give full credit for the creation of the term to longtime industry CISO Wendy Nather, who wrote extensively on The Security Poverty Line here. Essentially, the Security Poverty Line is the acknowledgement that most organizations will have to sacrifice in at least one of those three key InfoSec areas of focus I outlined above.
If you work at a major tech firm, a big financial institution, or a big government entity, odds are you have the resources to stay above the Security Poverty Line. This is both because these companies have the finances to do it, and because there’s an imperative in keeping those systems secure because of the level of risk.
For virtually every other organization out there, sacrifices have to be made in at least one area of people, process and/or technology when it comes to InfoSec. Let’s take a deeper look at some ways you can keep yourself from falling below that poverty line and maintain your critical infrastructure and application security.
You have to find ways to improve your security posture to stay above that poverty line in ways that may not be directly about security. Championing your IT teams where their activities or projects support organizational security in some way can be a very effective practice.
A lot of security comes down to proper IT management. For example, if you go to your leadership and say that seeking a better backup solution is imperative, you can put that in a security context. It’s critical to have a strong backup solution to save business continuity in the event of a ransomware attack. It’s a case where your organization can either spend more money on a good cloud backup solution, or you’re going to have to pay cybercriminals a ransom to get your system back.
Proper network segmentation is another area where this can have a big impact. This can either be cloud networking or on-premises networking. If you can make the case on behalf of the people managing your cloud networks that they need the right resources to segment their networks, then you’re containing the blast radius of a breach and making the attacker’s life more difficult by controlling the “battle space.”
I wrote recently about the security skills gap, and the need to grow your own security talent in order to survive and reduce your risk. That’s a process that takes time and a concerted effort to create. Another way to reduce your risk profile on the staffing side of things is to do some amount of outsourcing. While outsourcing has gotten a bad rap in many cases, Managed Security Service Providers (MSSPs) are effective for a reason.
If you’re going to outsource some of your security posture to an MSSP, you need a really solid plan for exactly what they’ll take on. Are you basically asking a service provider to take on all of my security monitoring and all of my network security? Are you asking them to take on Tier 1 triage? Do you have very precise documentation and an agreement between your organization and the MSSP as to what that constitutes?
Check MSSP references exhaustively. The only way to figure out if you’re getting your money’s worth and if you’re going to have a good experience is by checking those references.
From a vendor standpoint, you want to look for vendors who offer the most in terms of technical lift and services for whatever you’re paying them. Moving to a SaaS model is key here, and there are many reasons for it. A general reason is to move out of the data center business and to the cloud to avoid operating your own data centers. Why operate third party software when a third party could just do it for you?
True SaaS companies can do a lot of human activity for you–specialized InfoSec human activity–that’s hard to hire for because of the skill shortage and can take that on for you. You can then spend your money wisely elsewhere, maybe in third party assessments, or pen testing, or other things that are generally considered to be advanced activities out of the reach of most small companies.
In summary, if you spend your money wisely by outsourcing as much of your tooling to other people, you can afford to do those advanced activities. You need to grow your own talent, and then find ways to improve your company’s risk profile by supporting the initiatives of the IT team. By maintaining a close and tight relationship with IT and DevOps, you’ll support your own security initiatives too. And that way, you’ll stay as far above the Security Poverty line as you can.