This blog was co-authored by Wade Woolwine, Principal Threat Intelligence Researcher, and Jake Godgart, Portfolio Marketing Manager for Rapid7 Managed Services
What keeps organizations from advancing their security programs?
It is certainly not lack of tools—there are at least five tools competing for every dollar in every niche of security these days. It could be a lack of talent and experienced staff, but you can buy those through services and managed security services. Is it a lack of funding? Possibly, but plenty of security budgets have actually grown over the past few years.
So, what’s holding organizations back?
In my time in the industry and specifically here at Rapid7, I’ve had the chance to partner with many technologists and leaders to build out our customers’ security programs. In my opinion, the biggest thing that prevents organizations from advancing security is a common language for establishing priorities for the security program and getting the investment to match the results business leaders expect. The folks in charge of the money can’t get the technologists to solve business problems, and the technologists can’t get the folks in charge of the money to buy them the things they need.
At Rapid7, we call this common language "security outcomes."
To solve this problem, Rapid7 is focused on enabling our customers to reach their desired outcomes—plain, simple, and (mostly) jargon-free descriptions of what the business is trying to achieve.
When we ask business executives what their security program needs to do for them, we typically hear these types of outcomes:
- Keep me and my company out of trouble (and the press)
- Minimize the financial impact to run and in case of emergencies
- Avoid disrupting business operations
On the flip side, the themes we hear from technologists when asked the same question include outcomes like:
- Prevent known threats from materializing without much work from me
- Allow me to focus on detecting threats and breaches without having to care for and feed too much technology
- Give me the tools to respond to and clean up threats and breaches quickly
- Allow me to improve my program over time through lessons learned
Wait a minute...
Preventing threats can help us keep the company out of trouble. Getting the right tools in place can help us minimize the impact when something happens. And if we enact an effective program, we should be able to decrease the risk of disrupting business.
While coming from two sides of the business, these two sets of themes have a lot in common! And finding this common ground is critical to gain buy-in from the other side of the table. The key is to propose each security investment as an input to the desired outcome. If done correctly, we can help bridge the gap.
Two major outcomes to focus on
Let’s examine two major outcomes most teams focus on are:
- Minimizing the financial and reputational impact to the business in the event of a breach.
- Maximizing business continuity and productivity while staying secure.
Let’s start by building out a taxonomy of outcomes that we can use to guide our security programs, starting with business outcomes:
|Initial Business Outcome||Blended Security Outcome|
|Keep me and my company out of trouble (and the press)||Prevent threats and breaches from causing material, financial, or reputational damage to the organization|
|Minimize the financial impact to run and in case of emergencies||Minimize operating costs to planned expenditures for the fiscal year|
|Not disrupt business operations||Keep business operations disruption to under one hour per security incident|
Great! Now, let’s turn to the technologist-driven outcomes:
|Initial Technologist Outcome||Blended Security Outcome|
|Prevent known threats from materializing without much work from me||Use technology to prevent known threats from materializing across the entire modern infrastructure|
|Allow me to focus on detecting threats and breaches without having to care for and feed too much technology||Use people and technology to detect unknown threats that materialize across the entire modern infrastructure within 10 minutes of events occurring|
|Give me the tools to respond to and clean up threats and breaches quickly||Use people, processes, and technology to respond to confirmed threats and breaches and remediate within an hour of confirmation|
|Allow me to improve my program over time through lessons learned||Make every breach and threat an opportunity to improve the security program. Prepare the security program to meet business outcomes on an annual basis.|
There are a bunch of outcomes here, but for us to connect both sides of the table, it’s necessary that we merge them into a unified vision for security outcomes:
Prevent threats and breaches from causing material or reputational damage to the organization
- Use technology to prevent known threats from materializing across the entire modern infrastructure
- Use people and technology to detect unknown threats that materialize across the entire modern infrastructure within 10 minutes of events occurring
- Make every breach and threat an opportunity to improve the security program
Minimize operating costs to planned expenditures for the fiscal year
- Prepare the security program to meet business outcomes on an annual basis
- Keep business operations disruption to under one hour per security incident
- Use people, processes, and technology to respond to confirmed threats and breaches and remediate within an hour of confirmation.
Digging in on outcome
Okay, now we’re getting somewhere! But this is still too high-level for most technologists to really get behind it. Let’s focus more on outcome.
How, exactly, are we preventing known threats from materializing across the entire modern infrastructure? It starts with visibility. We need to see assets, users, networks, and applications across the entire modern infrastructure. The outcome? Have 100% visibility into users, assets, networks, applications, and their associated logs.
Now that we can see everything, we need to define the acceptable attack surface we’re going to expose to enable business. The outcome? Create and maintain a catalog of all business-essential applications, services, and technologies used by the organization.
Now that we know what we’re using, we need to make sure there aren’t any vulnerabilities. The outcome? Create a vulnerability management program that resolves all critical and high vulnerabilities within 24 hours of identification.
Now that we’re keeping everything updated, let’s use technology to prevent threats along accepted weaknesses in our attack surface. The outcomes? Use endpoint antivirus across 100% of assets to automatically prevent known threats. Use an automated malware identification system to prevent known malware from being delivered via email and web browser. And, use a web proxy to prevent connections to known malicious or non-business-critical websites.
Now that we have mitigating controls deployed, we need to test how everything is working. The outcome? Perform quarterly penetration tests for 100% of the infrastructure.
From here, we just need to extrapolate the business outcomes into projects and accomplishments that the technologists can achieve across the various areas and be very clear with our business leaders on how much it’s going to cost from a products, people, and services perspective.
With all of that completed, your organization should be well on its way to taking on security initiatives that everyone in the business is on board with, regardless of their role.