Security and risk management leaders will always be tasked with simultaneously maintaining existing security projects and launching new ones. As such, it can be difficult to know what security projects to focus on and where to get the greatest ROI, writesBrian Reed, Senior Research Director, Gartner
Gartner has identified this top 10 security projects for organisations who have already adopted all basic security measures. Security and risk management leaders should aim to implement these 10 projects in order to address the ever-changing demands of cybersecurity and reduce risk.
Project 1: Privileged access management (PAM)
Privileged accounts (or administrative or highly empowered accounts) are magnets for cyberattackers. A PAM project will highlight the controls needed to protect these accounts, which should be prioritized according to level of risk. PAM projects should cover human and non-human system accounts and support a combination of on-premises, cloud, and hybrid environments, as well as APIs for automation.
It is unviable to expect security teams to handle a substantial amount of vulnerabilities – they are simply unable to patch everything. Therefore, SRMs should focus on a “continuous adaptive risk and trust management” (CARTA) approach to security, meaning security is adaptive everywhere and at all times.
For this, CISOs need to determine the business value of IT assets (as agreed upon by business stakeholders) and associated risks in order to emphasise the importance of focusing on those particular assets. In addition, organisations should have a clear understanding of network topology and any changes to IT infrastructure.
Project 3: Detection and response
While the perfect protection option doesn’t exist, CISOs should nevertheless consider detection and response projects. A few questions should be asked: how is data gathered and stored to support detection and response capabilities? Does the technology boast a range of detection and response features, or the ability to leverage indicators of compromise?
If an organisation already possesses an endpoint protection platform, it should view it as an option to provide endpoint detection and response. If considering a managed security services approach, businesses should think about a project that would provide information to a managed provider. Leaders must also thoroughly test any vendor claiming to have artificial intelligence (AI) or machine learning (ML) capabilities.
Project 4: Cloud access security broker (CASB)
For organisations that have already adopted multiple SaaS applications, CASBs provide a control point for visibility and management. This type of project can be justified by using a cloud application discovery to surface shadow IT. Leaders can assess whether their organisation has control and visibility of sensitive data used and shared by the SaaS applications, and determine what level of visibility and control is needed with each cloud-based service. Short-term contracts that focus on discovery and protection of sensitive data are advisable.
Practically all cloud attacks stem from customer misconfiguration, mismanagement, and mistakes. In order to mitigate cloud risks, CSPM processes and tools should be considered. If the enterprise only uses one IaaS platform, leaders need to determine if that provider has options for CPSMs. If not, they should ensure that the CSPM provider supports the multiple clouds in use by the organisation. Cloud-based CSPM options can make automated changes based on assessment findings. If the business is already using a CASB, market leaders already have well-developed CSPM options.
Project 6: Business email compromise
Business email compromise projects can help security and risk leaders deal with phishing attacks and poorly defined business processes. Such projects focus on technical controls in addition to process breakdowns specific to organisations. Tailored ML options can be integrated with existing email security systems, and leaders should seek out current email security providers to provide these controls, as well as to integrate the project with security awareness training and other endpoint protections.
Project 7: Dark data discovery
A dark data discovery should be the first step taken by leaders before undertaking data centre consolidation or cloud migration. Dark data is data that offers low-value, unknown risk. By reducing an organisation’s data footprint, leaders kill two birds with one stone: minimizing security risks and eliminating risk exposure to GDPR and similar regulations. Organisations should scrutinise data that sits across multiple silos (file shares, databases, big data, cloud repositories) and prioritise vendors offering wide data repository support for all systems where sensitive data is stored.
Project 8: Security incident report
Security incidents demand planning, preparedness, and timely responses. This project might focus on updating plans already in place or even reworking a response completely. Current levels of response, and where the plan has room for improvement, must both be taken into account. Leaders should consider an incident response retainer from a provider that offers the necessary flexibility to address proactive and reactive tasks.
Project 9: Container security
Developers are increasingly using Linux containers to push digital business capabilities through the development pipeline more quickly, but each of these containers must be screened for vulnerabilities and issues before being put into production. CISOs should bear in mind that security must integrate with common developer tools and the CI/CD pipeline and be used with comprehensive APIs to support a variety of security tools.
Leaders can begin by scanning for known vulnerabilities and configuration issues, and then extending that strategy to runtime production. More advanced solutions can build a detailed “bill of materials” for each container and compare that to what’s actually being used at runtime to recommend where libraries and code could be removed.
Project 10: Security rating services (SRS)
Security risks are increasing in direct proportion to the complexity of digital ecosystems. Security and risk leaders must consider suppliers, regulators, customers, business partners and platforms. Leverage security rating services to provide real-time, low-cost continuous and independent scoring for your overall digital ecosystem. This should only be used as a supplement — it is not comprehensive, but these services are crucial innovations. Evaluate multiple vendors against requirements and ensure that SRS is used as part of the selection criteria.