One of the most common questions a high-level security, risk or compliance officer gets asked is: “What makes you sleep at night?” The answer varies by individual, but usually includes: knowing that important data is safe, having a defense-in-depth strategy for security (both preventative and detective), and understanding what my risks are.
This week we had the honor of hosting various Tripwire customers for our annual sales kick-off meeting, where they talked about their security priorities, what they do to mitigate risk and how they develop a comprehensive security strategy.
Here are a few common elements that I thought were of particular interest:
Visibility is essential to make appropriate risk-based decisions. Every security practitioner was in agreement that without having the visibility into their IT environment they cannot make intelligent decisions as to how to best protect the environment, and detect incidents before they cause damage. The first step is to achieve a high level of security (that would also meet compliance requirements) and continuously monitor for deviations from this secure, “steady”, state.
Predictability allows them to be more proactive in their security approach. Having a solid configuration baseline is key because it provides predictability and allows them to manage risk, make security sustainable and be preemptive instead of having to chase security.
Optimization was key for security managers who are constantly under pressure. They prefer to work with security solutions that allows them to automate tasks and fit into their existing processes in order to create a controlled, efficient and enabled security state. Another desire was to consolidate security tools so that they have a single pane of glass to understand what’s happening in their IT infrastructure. Speed was a core capability for them — speed of detecting, remediating, understanding and delivering.
Business Alignment allows them to connect the IT security data into relevant information that the business can understand. This was so important to them, that one of the customers has a Business Alignment team that sits between IT and the business. In this particular topic, they’re working with solutions that give them the intelligence to connect all security information and abstract the relevant information. Basically translate all the technical gobbledygook into terms that the business understands, which includes looking at risk profiles so that the business can assess how much risk they’re comfortable taking on. This level of intelligence helps the security or risk officer obtain budget for the initiatives. More on this topic on our post about Infosec Dashboards and the Business.
Although I cannot disclose their names, most of the speakers were heads of security teams for global organizations in technology and financial services. If you’re interested in finding out how we’ve helped other organizations, we have many customer success stories.
In security, there is no “one size fits all”, but these are some of the topics that they’ve had in common. What other capabilities do you find are necessary for you to do your job well?