Making the Case for a VP of Security Rationalization

Might it be true to say that the world of cybersecurity is evolving faster than any other industry right now? Probably not, but it’s certainly up there. Cybersecurity is achieving a level of maturation that we have not seen before, which is leading to many organizations implementing several security solutions in an attempt to become “secure”.

Companies that change quickly and go through many different applications, solutions and processes, often require rationalization is required to ensure that they are still operating efficiently and effectively. However, this concept of rationalization has not quite yet infiltrated into the mindset of the IT security teams when thinking about security solutions and processes.

When to Start Security Rationalization

Most companies will start their security rationalization when they deploy a new tool or solution. They look at their organization and see what they can get out of the new solution and what current changes need to be made within the organization to get the most from it. Whilst this is obviously an important part of rationalization, I would argue that it doesn’t go far enough.

Security rationalization should be an ongoing process that takes place regularly to ensure that the effectiveness of security across all solutions, tools, processes and people is up to scratch. In addition to that, rationalization should include being able to look into the future and make determinations on likely requirements for hiring, training and additional solutions. All whilst being able to back your findings with qualitative and quantitative evidence.

If this sounds like a full-time job in and of itself, then I agree with you, and you should go and look for a VP of Security Rationalization to take over the mantle.

Four Steps to Better Security Rationalization

It’s one thing to know that security rationalization is critical to maintaining a secure environment, it’s another completely to know where to start. We’ve chatted to a few CISOs who currently do the rationalization themselves or employ a VP of Security Rationalization, and their advice essentially boils down in the following four steps:

Know What You’re Trying to Achieve
If you know what your goal is when you start the rationalization project, it’ll be far easier to work backwards towards it. You need to have a good idea in your mind what you want your cybersecurity posture to look like at the end of the process. For example, you may want to get to the point where a data breach can be detected and mitigated within seconds. If that’s the objective, you want to work towards then you will need to start looking for solutions and putting in place practices that will help to make this a more attainable goal. Ongoing, you will need to test those solutions and processes to see how close to the original goal you are.

Don’t Be Afraid to be Wrong
Very few companies are fully mature when it comes to cybersecurity. Most organizations know they have areas of weakness or have made mistakes in the past. The key is to try and face these mistakes head on. Do not avoid them.

For example, if you have bought a cybersecurity solution under the premise that it will help you protect your sensitive data, but you are starting to believe that you are not using it to it’s full potential, then a change needs to be made for you to be getting the most our of that purchase. Similarly, if you are looking at your cybersecurity posture and you notice that you simply cannot see who has access to what data or what your users are doing with your data, then you need to admit that you are lacking in security.

Running a gap analysis and regular risk assessments can be a good way to see how your current security posture stacks up against modern threats.

Act on Your Findings
If you are running regular risk assessments and you have your goals laid out in front of you, the chances are you are going to find something that needs fixing or looking into. Once you have identified this, you need to take urgent steps to address it.

How you address the problem is completely up to you. You could keep it all internal with your security team and use the tools already at your disposal or you could hire external teams and implement third-party solutions. The route you go down will depend entirely on your environment and your goals.

If you’re still unsure where to start, come and take a free data security risk assessment with Lepide. We’ll highlight your biggest areas of risk to data security and give you some practical advice on how to address them. Get in touch!