Good information can’t be dome on the cheap. It’s a hot market right now, driven by one of the most primal instincts; fear. It’s a button security vendors hardly even need to press, considering the rich and constant media coverage of bugs, hacks and vulnerabilities like Heartbleed that leave even large, well protected enterprises bleeding money – and sometimes extremely sensitive data.
A buck well spent on security will go a very long way, but it’s about a lot more than throwing money at the problem. So it’s good to have some tips from people who’ve weighed the risks, the benefits, and the costs.
SC Magazine recently reported on a security spending study released by RSA. The security company asked chief information security officers (CISOs) at Global 1000 enterprises to share their thoughts on how to make the best possible investment in data security.
Eighteen CISOs shared their insights in “Transforming Information Security: Focusing on Strategic Technologies.” The report was authored by the Security for Business Innovation Council (SBIC).
First, the respondents said, companies should look out at least three years when planning their security investment strategy. Also, using technologies already in use, such as big data analytics, security intelligence platforms and governance, risk and compliance (GRC) management tools can help security pros assess the big picture.
The report recommended that companies maximize current investments by formalizing deployment efforts so that they can estimate operational costs and build better capability, including security tool maintenance and monitoring.
Quizzed by reported Danielle Walker, senior vice president of RSA Amit Yoran said that the three-year technology planning horizon idea could be a challenge, especially for CISOs who have risen through the ranks.
“They tend to get bogged down in the daily execution of tasks, since there’s so much crises going on,” he said. “There’s always a new exploit or escalation [issue] or problem to contend with.”
Yoran believes the report’s recommendations really come down to building a multifaceted security program.
“There is definitely a very strong, mutual dependence on the people, process and technology,” he said in describing successful security programs. “You definitely have to have a security program that can execute along all those dimensions.”
“We ought to make sure that our companies utilize technologies that optimize the process and enable our people.”