Security Strategy & Budgeting

Security Strategy & Budgeting
Is cybersecurity as a service (CSaaS) a real solution for the IT talent shortage?

Top Answer : For the people I work with and the peers I'm talking to, the number one reason for them to outsource any security service is the lack of necessary skill sets. They're able to tool it right, when I say tool it right, to the existing skill set. There are people who are traditional networking folks or have moved away from endpoint protection but they don't understand Cloud. So you're actually seeing a big skills gap when you look at SaaS products, which you truly don't manage other than provisioning. You only have authorization and access. Everything else is done by somebody else. That's a different play.

Outsourcing Cybersecurity Tools and ProcessesOutsourcing Cybersecurity Tools and Processes

How many cybersecurity tools and processes are teams outsourcing in 2021?

Related Tags
What are organizations getting wrong when it comes to fighting back against ransomware?

Top Answer : No matter how security aware you are, no matter how smart you are, people are human and they make mistakes—that's an endemic problem in our industry. The other big pet peeve of mine is that all these companies invest so much in prevention and they forget about detection and response. It's 2021 and I just read a report a couple of weeks ago that the average time to discover a web vulnerability is over 200 days. That's appalling.

How does speed-to-market pressure affect security?

Top Answer : In a perfect world it shouldn’t, since security would not be an afterthought, but rather a part of the day to day normal way of working. In a non-perfect world you might look to compartmentalised those “quick’n’dirty” agile deliveries that every IT team are ask to provide… and then secure and import them later once it has been proven that they will live long enough to warrant it.

Do increased security measures always mean higher costs?

Top Answer : I recently got into a discussion about how one of the biggest benefits of threat modeling is getting folks to proactively weed out vulnerabilities so they never exist in the first place. Think about this before you design this stuff—you’re not necessarily doing it as quickly as possible but if you think securely you won't have to remediate it later—that's going to save money.

Securing the Software Supply ChainSecuring the Software Supply Chain

With high profile software supply chain attacks increasingly in the news, how are leaders protecting their organization from vulnerabilities?

How can organizations infuse security into the customer experience?

Top Answer : You have to actually use it internally as you're designing it so that you can see the experience. It will add a layer to the current process if you don't have any security—we all know how much security two-factor authentication (2FA) provides, but people hate it. And some people who just want to be ignorant about the security risks out there continue to believe that 2FA's annoying and they shouldn't have it. So how do you get that persona to listen to the benefits of security and yet make it easy enough for them so that they can use it on a daily basis? That's a challenge that every company is facing.  The way I have handled it is by trying to minimize the number of clicks and the number of times that people have to move from one app to the other—how often you have to look away and do other things in that workflow. Try to simplify the process because there are simple ways of doing it. A lot of companies have solved for it, so you don't have to be a rocket scientist. There are a lot of use cases where it actually works, so replicate them, steal them and do it yourself. This is all about being efficient and being productive.

How should newly arrived CTOs approach organizational cybersecurity?

Top Answer : Sometimes you may find that the business already pays for the things you need, and all you have to do is enable it in the workflow. Most likely a lot of it will be education so you need a campaign around that. There will probably be some unhappy campers if you’re changing the way the current organizational structure is, but they might be happier once those changes are made.  The mantra in security is, "trust, but verify"—I say, “Don't trust and reverify.” I don't trust a single soul. I don’t take past documentation as proof, they have to show me the system and let me pull the logs. Show me where you've got separation of duties and approvals. Show me your BIA, your BRP. Where do you do that? How do you do that? Who approves what? A screenshot of backup logs does not mean that you have a BRP plan, so don't trust and reverify. We all remember SolarWinds and Microsoft. There isn’t time for mistakes, we need to lock stuff down.  Then for all the various pieces involved, get everybody to the table and ask, “What were you all thinking?” For example, is Veracode the right piece? I'm not going to dictate it as a CTO. I'll say, “Here are our options: We could spend a lot of money here. We can do this or that. Where do we want to go?” But you still need to prioritize everything. I wouldn’t add any more tools until I know that all of our existing platforms, processes, etc., are locked down.

Related Tags
How do you think Biden’s executive order will be actioned? (

Top Answer : When I read this executive order from a policy perspective, I think, "Who the hell is going to implement this?" And: What do you aim at? Do you aim at the biggest picture possible and work backwards or do you aim at the bottom tier first? I believe you have to start with the middle ground: You work from the top down to figure out what you need and who's will be looking at that data. In my world, a multi-dimensional matrix is the best way to do it.  I've been raising this flag about security in the electronics industry and all the industries it feeds for 3 years now, and I haven't seen much change. You can build a Zero Trust architecture, but that should start at RoadM and go through whatever filtration and rules gathering you do as an individual organization. Look at old technologies that are still useful, like Sniffers, Tumbleweed and RoadM in its current incarnation, which takes your data stream and partitions it into channels that you can then break down to get transparency at the packet level. I don't know how else you would approach this.

What can businesses do to prepare for the cybersecurity bills that recently passed through The House?

Top Answer : We're doing some reorganization to prepare for these changes. With so much overhead, you can't move at the speed that your developers and organization want. My data security monitor is helping me drive a threat modeling library right now so that I can advance. They need to test this stuff, so hopefully, that will provide some empowerment.