[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, April 19, 2018
 

Security and ROI?

Information Security
Author: Mark Dixon
Monday, April 16, 2018
9:49 am

Meeting2

Justifying investment in security technology is tough. Because it is difficult to measure ROI for Security controls, many companies justify security investments in terms of risk reduction.

Recognizing this difficulty, Slavik Markovic, CEO of Demisto, proposes “10 best practices for bolstering security and increasing ROI.” He introduces the topic in part, with this statement:

CISOs are being asked to provide proof that the money spent [on security] — or that they are asking to be spent — will lead to greater effectiveness, more efficient operations or better results.

Rather than proposing a specific ROI calculation method, Markovic recommends taking a more holistic approach to the problem.  His recommended 10 best practices are:

  1. Articulate the purpose.
  2. Dovetail with other projects
  3. Automate and orchestrate
  4. Create an integration plan
  5. IT and security synergy
  6. Leverage analytics
  7. Start small
  8. Go beyond compliance
  9. Shoot straight
  10. Measure and course-correct

I recommend that you read the commentary supporting each best practice.

Two of these recommendations entail leveraging technology to expand the expertise and capabilities of security professionals, rather than relying on just hiring more expensive staff:

3. Automate and orchestrate. Strive for security orchestration and process automation. The current threat landscape is vast, complex and constantly changing. Even a well-staffed security operations center cannot keep pace with the volume of alerts, especially with the ever-increasing number of duplicates and false positives. Use automation for threat hunting, investigations and other repetitive tasks that consume too much of analysts’ time.

6. Leverage analytics. Adopt advanced analytics. Machine learning and artificial intelligence are delivering truly innovative solutions. CISOs should research these two fields carefully to determine which analytics tools best fit their agencies, taking into account the organization’s strengths and weaknesses related to skills, personnel and risks.

I like the way Markovic looks broadly at how to justify security investment.  Security, after all, touches almost every aspect of modern business, and is strategically vital to business success.

 

Please post your reply

You must be logged in to post a comment.

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.