E R T N
P
X
E INIO
OP
• Each security tool should align to
a significant risk in the security
framework. In other words, the
framework drives the need for the
tool, not vice versa
• Each security tool implemented
should reduce risk to the company,
be able to measure the reduction in
risk and be capable of sustaining
that reduction. This usually means
the tool must be combined with
processes and other tools to provide
an end-to-end process that manages
a particular security risk
While we have a
plethora of tools
to identify many
security risks, we
have few that reduce
the risks and sustain
that reduction.
How to approach consolidation –
security framework
By developing a security framework
based on NIST or some other standard
and then selecting a set of security
controls around each category of
security, a comprehensive view of your
security landscape can be developed.
From that view, we can take each
significant area of security and begin
to develop systems and processes that
achieve those controls.
our systems until we understand all of
the controls that manage the process
to patch our systems on a timely
and complete basis. We should only
select the appropriate tool(s) once we
understand what it must achieve. This
example continues in the next section.
How to approach consolidation –
sustainable risk reduction
Only after developing these processes
do we begin to select tools that help
implement and control the processes.
Each tool should fulfil a specific need
in the security controls framework.
Here’s an example, let’s take the area
of system vulnerability management. We
shouldn’t start picking our tool to scan The ultimate objective of having security
systems is to lower the risk of an event
occurring that negatively impacts the
company (e.g. financial, reputational
or regulatory risk). It’s important that
we keep this in mind when designing
processes and selecting security tools.
As we implement security processes
and tools, we need to ensure that the
end solution:
The vast majority
of companies don’t
know their security
posture, or where
their most significant
risks are on a day-
to-day basis. • Covers the entire intended
landscape across the company.
For example, if we are only
scanning 70% of the environment
for system vulnerabilities, we may
not be adequately reducing risk to
the company
• Provides sufficient information to act.
For example, if we select a system
vulnerability scanner and it provides
great detail on the vulnerability and
inherent risk but does not provide
context to the importance to the
company or context as to the owner
of the system, then the tool/system is
42
not providing sufficient information to
reduce the risk sufficiently
• Lastly, it sustains the control,
meaning it should automate the
control and monitoring processes.
Otherwise, the risk will grow again
after expending efforts and monies
to remediate
To further refine the approach to tools
rationalisation for security, we also
need to introduce the risk element. All
systems and tools do not provide the
same level of risk reduction for the
company. By focusing on those security
Issue 05
|
www.intelligentciso.com