There are frameworks such as Factor Analysis of Information Risk (
FAIR) for a quantitative model to manage risk,
such as implemented at SAP and described in this recent article. This helps articulate security risks into financial terms and helps articulate how security investments remediate those risks in order to optimize security budgets.
However, with budgets for 2023 generally smaller than expected, there is no time to put such a framework in place if it isn’t already. You may have only weeks to prioritize what security programs you can execute. Therefore, I’d like to share three key points of practical advice that you can apply in your planning in the coming weeks.
Cloud Transformation is an Imperative
The uncertainty in the economy and geopolitical climate is paired with ongoing digital- and cloud transformation that is not going to stop and is becoming more critical than ever. In good economic times, cloud transformation is challenging, but budgetary pressures make it worse.
However, budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates. The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale. Cloud transformation allows us to rethink how we do things.
Three Key Steps to Maximize Your Security Budget
Each organization is different, but the following three steps should help you determine what to focus on and how to maximize your current investments.
- Focus on the most critical items
- Operationalize current offerings
- Optimize processes
Focus on the most critical items
In security, we are often seduced by clever new threats, exploits, and tooling we see in the industry press and social media. But we shouldn’t rate security programs by how cool they are but by how much they improve your overall security posture. Security investments should be commensurate with the business risk the organization faces and can mitigate. When budgets are tight, we must concentrate on what allows the business to operate and execute its existing security strategy.
- Assess risks by probability and impact
- Prioritize those that score high in both
- Review your secure software development lifecycle and secure operations first and foremost
Esoteric risks of low probability may be compelling thought exercises but meeting compliance and regulatory requirements is almost certainly more important than protecting against sophisticated state actors.
The most common causes for security breaches in the public cloud are:
- Cloud infrastructure misconfigurations, such as public storage buckets, unintentionally internet-facing endpoints, etc.
- Known vulnerabilities in commercial or open-source software
- Credential and secrets leakage, whether through phishing, keys in source code, or otherwise
The priority, then, is to keep the doors locked, keep vulnerabilities under control, and keep secrets safe. We need to prevent these from happening in the development cycle as much as possible and detect and respond to findings in the deployed landscape. That is, we need to get the basics right first.
The basics include good asset inventory and associated metadata, including who to contact for the asset should there be issues. This is a difficult challenge, even more so in the middle of cloud transformation, and it is valuable to assess the data quality regularly. An alert you know about but don’t know who to direct to is likely going to remain unaddressed.
Operationalize what you already own
Research conducted earlier this year among RCA Conference attendees suggested that half of the respondents stated they have wasted more than 50% of their security budget yet they are not able to remediate threats. 43% say that their number one challenge is an overabundance of tools.
The element that is often overlooked by security professionals is onboarding and operationalization. It is important that existing tools be integrated into detection and response processes, generating meaningful alerts that are distributed to those who can act on them quickly. Each data source added requires data integration and enrichment effort, so more tools providing alerts increases that workload.
Therefore, make an inventory of the security tooling you own and have deployed. If there are tools that are deployed but aren’t producing effective alerts, focus on operationalizing those before trying to plug a
perceived gap with yet another solution. If there are multiple tools deployed with a similar function, consider centralizing on a single one.
Cloud transformation provides another opportunity. The Cloud-native Application Protection Platform (CNAPP) category includes solutions that cover a multitude of cloud security use cases with integrated risk-based alerting that could replace several existing security tools and simplify the data integration effort, as much of that will have already been done for you.
If there is no tool budget, consider open-source security software. There are many options available both for the development process and post-deployment scanning of production landscapes that may satisfy your requirements.
Finally, use the capabilities of the cloud providers. Cloud audit logs provide critical information and are free. These can be configured at the organizational level for cloud accounts, greatly simplifying central collection and ingestion into your Security Information and Event Management (SIEM) solution. These cloud APIs allow the user to implement preventions against misconfigurations. These are highly effective and cost-conscious security improvements.
Review and optimize your processes
Patching systems for already deployed landscapes constitutes a high operational effort. Alerting developer teams through alert tracking and remediation processes, so that issues are fixed in their code and redeployed through automation is more efficient but still requires a lot of toils. Fixing vulnerabilities in the development cycle before they have even been deployed is the most efficient.
To “Shift Left” is not to put all burden on the developer – the reality is that any remediation work ends up with developers, especially in a cloud-native development cycle. Therefore, catching security issues in development is of self-interest to the developer team in reducing their overall workload.
A good security organization can support the developer and operational teams with central services such as security scanning, data enrichment and alerts distribution, tracking, and status reporting; or through base images and infrastructure-as-code templates that are compliant with security policies.
Automation of processes helps, but blind automation of processes may not provide the greatest benefit. A more effective approach is to Rethink and redesign processes to minimize the operational burden on security- and developer teams. We can automate each alert into an incident ticket or pull request, but that will only escalate the number of tickets the recipient teams need to process. By providing alerts via a machine-readable format teams can integrate alerts directly into their own workflows, however, they prefer to handle them.
Good Communication is Key
Given the budgetary pressure, despite optimization attempts along these three key steps, there may be programs you just don’t have the budget for, even though they are important. Some programs may be easy choices to cut; others may be incredibly difficult to deprioritize without raising the risks the business is exposed to.
We owe it to the business to communicate the consequences of these choices. Document risks clearly in business terms, easily understood by generalists. Good communication with the business is critical for support as well as a mutual understanding of the remaining risks. Communication is often instrumental in rescuing a security program by showing how to raise the benefits of investments in key areas.
Useful Resources
The following security reports can prove useful during this optimization exercise:
Another useful tool is Sounil Yu’s
Cyber Security Matrix, a framework to help you navigate the cybersecurity landscape.