Buying the latest and greatest, best-of-breed security solutions without employing a risk-based approach to security is not a sound strategy for an information security program. Without having a mapping between the capabilities of the new security tool (security control) and the risk faced by the organization, a return on investment (ROI) will rarely be achieved. Even worse, there is a strong possibility that the information technology (IT) risk will not be sufficiently addressed by implementing the new tool.
As part of the many risk assessments Sikich performs each year, we often find that organizations that have made significant investments in security tools either have only partially deployed the technology or haven’t deployed the technology at all. Many of the high-profile breaches of the last decade occurred despite early indications malicious activity in system and audit logs. This has contributed to an increase in investments into security information and event management (SIEM) solutions. Organizations that make sizable investments into SIEM technology oftentimes find that the tool is overly complex, or they don’t have the expertise to configure the technology in a manner that allows them to address risk as needed. In these scenarios, it’s likely that the organization evaluated the risk, but didn’t factor in the costs associated with operating and maintaining the control.
The threat landscape is different for every organization. Some organizations may reside in industries, or provide products or services, that make them high-value targets for malicious actors. Thus, they may need the advanced threat intelligence capabilities that a SIEM solution can provide. Other organizations may face compliance standards (e.g., the Payment Card Industry Data Security Standard (PCI DSS)) that dictate requirements related to daily log review. The Sikich risk assessment process is designed to help clients evaluate risk that is specific to their business and identify controls that are appropriate, cost-effective, and commensurate with the level of risk.
When deciding to make an IT investment in a new security solution, it’s critical first to identify risk appropriately and understand how the risk can negatively impact organizational assets. Then, through risk response, the organization can implement the correct, most cost-effective control based on its understanding of its business and the risks it faces.
If you have any questions regarding a risk-based security strategy or would like us to help with your business’s risk assessment process, contact us at any time.