Have you discovered a security gap? Have you found a possible solution? Have you received funding for it?
If you answered 'yes' to all of the above, you're half way to successfully implementing a new control. Here are some other (often overlooked) actions you should consider to ensure the success of your project:
1. Be sure the solution solves your problems.
Create use cases (and actually test them) by brainstorming
different attack vectors. It is really disheartening to deploy a control and find out it can be bypassed by the simplest of actions.
2. Be sure the security problem you are solving justifies the effort necessary to implement and run it.
If you cannot show that the reduction of security risk to the organization is greater than the operational risk being introduced then you should rethink the solution.
3. Include the people who will be implementing and managing the system from the earliest stages.
You're going to be causing more work and pain for IT, if they're not on board, making it a long and difficult process. You may get your implementation, but there’s a reasonable chance the same solution may be a dusty, unmaintained relic at the end of 12 months.
4. Be sure your deployment timeline is realistic.
If you haven't done number three, you are going to be badly surprised.
5. Be sure your testing is realistic.
Again, if you have not done number 3, chances are your testing needs some more thought. Involving the team that will implement and manage the system will uncover network issues, legacy systems, agent collision or other operational and management issues.
6. Consider what makes sense in both the short term and the long term.
Do you need to meet a compliance requirement in the next two months or do you want to invest in a control that will provide you with security capabilities for years to come?
7. Be sure your choice suits your environment in terms of network architecture, network capability, system stability, etc.
Again, if you have not done number three, chances are you’ve missed some things that may turn out to be deal breakers.
8. Finally, be sure the solution you’ve selected is the best fit for your organization as a whole.
It is easy to just think in terms of security or in terms of the vendor promises. However, as a security professional, you have a duty to your company to do the best thing for it from all perspectives.
These tips will help you make sure that you have tested
your prospective solution properly and involved everyone who will be part of the implementation and operation of the solution. By following these extra steps, not only will you improve the chances that your selection is the right one but also that the implementation will be a success.
Title image courtesy of ShutterStockIn case you missed it...
The Agent vs Agentless Debate – Part 1: The Security Side
The Agent vs Agentless Debate – Part 2: The Operations Side
