Sergey Nivens - Fotolia

Are new cybersecurity products the best investment for enterprises?

Having the latest cybersecurity products isn't always the best way to approach security. Expert Mike O. Villegas explains why and how to deal with pressure to buy new.

A recent report from Trustwave, the "2016 Security Pressures Report", found that IT managers feel pressured to buy new cybersecurity products even if they or their staff don't have the right skills to implement the technology. How can managers push back on this pressure? Or should they buy the new technology and get the training to implement it properly?

The 2016 Trustwave report found that 74% of the 1,400 IT/security professional respondents felt pressured to select the latest cybersecurity products, while 31% lacked the resources to properly adopt, deploy and use them. The survey does not say where the pressures are coming from or what new cybersecurity products are referred to, but it does state that the majority of respondents (54%) listed detection of vulnerabilities, malware, malicious activity or compromises as their most pressure-inducing security responsibilities.

Given the threats listed, the cybersecurity products in question appear to focus on SIEMs, FIMs, NGFWs, IPS/IDS, DLP, MDM, MFA and antivirus/antimalware software. These technologies continue to improve in scope, scalability, coverage and manageability but commensurately so do the skills required to use them.

The pressure to use the latest cybersecurity products likely comes from upper management, industry best practices, emerging technologies and perceived risk levels. But before succumbing to these pressures, security professionals need to realistically look over their situation and do three things:

  • Perform a security risk assessment to identify mission critical applications, sensitive and confidential data, the business impact if the technology is not available due to errors or breaches, threats to critical assets and applications, and the effectiveness of the design of controls over these assets;
  • Perform a skills inventory of the staff to determine whether the products being considered or already in place are properly used; and
  • Determine whether to focus on building internal capabilities or outsource to a managed service provider.

Asking how managers can push back on these pressures is the wrong question. It's better not to push back on pressures but to instead focus on planning, proposing, deploying and maintaining the most effective cybersecurity products.

  • Make security plans based on risk assessments, a skills inventory and whether security services are outsourced or kept in-house. Plans should also be based on a proven cybersecurity framework;
  • Propose the security plan to executive management for approval and funding;
  • Deploy the approved technology and information security program. This includes eliminating shelfware and upgrading to current tools; and
  • Maintain the program through security monitoring, updating to current patches, testing controls, staying compliant and remediating any issues. This includes building staff skill levels if the security program is kept in-house.

This is an iterative process. As the enterprise expands, protection levels may also grow. Security professionals should not allow pressures for new cybersecurity products to drive what they need and what they know is right for the enterprise.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out when it's time to change your cybersecurity products

Learn how security vendor hacks affect enterprises

Discover how a risk assessment on a third-party vendor can improve security

Dig Deeper on Security operations and management