Beyond advanced security analytics, user behavioral analytics, secure Web gateways, firewalls and other security tools, there is still more to think about when it comes to next-generation security architecture. Johna Till Johnson, CEO at Nemertes Research, concludes her SearchCIO webcast with a nod to the cloud, Internet of Things, or IoT, and application development. Read through the transcript below for those additional next-generation security architecture tips and webcast conclusions.
What else do you need to think about other than everything that we just provided you with here? Well, I mentioned cloud security, particularly visibility and monitoring and application development. You should really look at CloudSecurityAlliance.org, if you haven't done that. [Look at] application security, in general, specifically so that you can actually look at how applications are protected.
And IoT and physical network security. There are a couple of companies that are coming out and talking about that, but not very many yet. That's still a very highly emerging market. ... I don't want to say [the technologies are] immature, because a lot of the companies that are developing them have developed very strong technologies, but it really hasn't coalesced into an ecosystem of tools that you can use to protect your IoT out of the box.
So, if, as is likely, you're an organization that is either using the cloud, developing applications or planning on rolling out IoT, you really want to think about security from the get-go for each of these three initiatives. Very, very important to do. And you can use this architecture to think about how you're going after this, with the exception of application security, which requires its own architecture. That was a mouthful. So, big takeaway here: Don't forget cloud, don't forget app sec and don't forget IoT.
So, what should you do? The first thing is if you haven't revisited your security architecture in two years or more, now would be an excellent time to do it. The chances are very high that you've got an obsolete, out-of-date architecture, and now is an excellent time to review it.
You want to prepare to invest. I haven't talked about investment here because this talk has been about technology, but recognize that security is expensive. And think in terms of assessing your expenditures as a percentage of your risk avoidance, not as a percentage of your IT budget.
In other words, what's it worth to you if you get hacked? What's the reputational damage? What's the actual physical damage? What's the economic damage to you? And think about what you would pay to avoid that amount of economic damage -- not, 'Hey, my IT department got $10 million this year, so some fraction of that goes to security.' You really want to think about this in this holistic risk way.
And finally, you need budget line items for new categories of products. Products that you probably didn't include line items for before, you will want to include them now. UBA [user behavioral analytics], TRC nets [threat, risk and compliance networks] -- to the extent that vendors start charging for them, which I believe they will -- you're really going to want to budget for them.
And last, but not least, you really want to put together a detailed roadmap and strategy to guide that investment over the next three years. We've given you the high-level view of that. You really need to move to the next level and start thinking about what you're going to be doing next week, next month, next year, in a logical fashion so that you're putting stuff in place that you can use exactly when you're ready for it, and you're not putting things in place that you're not yet mature enough operationally to handle. That's something we help our clients do all the time, and we strongly recommend that you do this.