Essential Guide

Browse Sections
This content is part of the Essential Guide: An IT security strategy guide for CIOs
Manage Learn to apply best practices and optimize your operations.

Ways to craft a better enterprise IT security roadmap

Johna Till Johnson doesn't take next-generation security lightly -- especially as the list of security threats grows longer and longer. As CEO at Nemertes Research, a research-advisory firm analyzing and quantifying the business value of emerging technologies, Johnson and her team spend a lot of time thinking about the functional enterprise IT security roadmap and why concepts like "protecting the perimeter" don't work.

To break it down, Johnson put together five initial steps for enterprise clients:

  • Step One: Identify and classify resources
  • Step Two: Protect access to resources
  • Step Three: Detect threats and attacks
  • Step Four: Respond to threats and attacks
  • Step Five: Enhance analytics

In part one of this webcast, Johnson gives an overview of why CIOs and IT departments should start thinking about next-generation security. In part two, she expands on one key concept: developing the enterprise IT security roadmap. Watch this snippet of her webcast presentation and read the full transcript below.

Step One: Identify IT security roadmap resources

The first step is to identify and classify your resources. Most people have done half of that, not all of that. In other words, they may do a pretty good job classifying and identifying physical resources, things like laptops and [hardware] servers, but they tend not to have a good system for classifying resources, for example, virtualized resources like workloads, and also things like licenses and intangible assets.

One of the things you really want to do is [ask], "What is it that we need to protect?" That can be anything from intellectual property (i.e., blueprints of the next-generation airplane that you're designing) to licensing information, to information about your customers that's above and beyond PCI information. Information itself becomes an asset that you want to protect.

If you don't have firewalls in place, shame on you; put them there. If you don't have antimalware in place, shame on you; put it there.
Johna Till JohnsonCEO, Nemertes Research

If you look at that long line of "identify and classify resources," you can start with the easy stuff: the physical resources. [For example], any hardware servers you've got left, storage, switches, routers, desktop machines, laptops, mobile devices. Move along that [list] as time goes on, [and then] look more and more at the virtual resources that you've got. Think about how the systems you've put in place are automatically refreshing themselves as that inventory of resources changes.

And the word "automatically" really matters, because as you move from the physical to the virtual world, all of the old technologies don't work anymore. You can't have a spreadsheet containing virtual machines. That's a ridiculous concept. You could, in theory, have a spreadsheet containing all of the physical servers in an enterprise organization, but that's now obsolete. So you have to think about an automated set of tools for tracking and classifying those resources.

Step Two: Protect resource access

Then you protect the access to those resources. And that's a lot of your traditional security equipment, things like firewalls, things like secure Web gateways, and we'll talk about how the technology layers into this in the next slide.

Again, start with the easy stuff at one end, and move to the harder stuff at the other end later. So if you don't have firewalls in place, shame on you; put them there. If you don't have antimalware in place, shame on you; put it there. But most companies have at least the baseline.

Step Three: Detect threats and attacks

You need to be able to detect those threats and attacks. And detecting a threat, a vulnerability and an attack are three separate things, and that's important to understand. Lots of companies sell you vulnerability detection. Vulnerability detection is basically like telling you which doors you have unlocked. Attack detection is telling you when the burglar is coming through your door. And threat detection is, "Hey, the burglar has been seen on your street with a big bag of loot and he's heading for your house."

So those are three separate things and, ideally, you want to know all three things. And that distinction is important because sometimes people say, "Well, I do vulnerability scanning so I'm covered." No, that just tells you which doors are unlocked. Maybe the burglars are getting smart enough to come in through the chimney.

Step Four: Respond to threats and attacks

You need to be able to respond to these threats and attacks. In other words, as something's happening, you need to take proactive action.

Step Five: Enhance analytics

And, of course, you need the analytics to figure out not just ideally what has happened, but also what's going to happen next. And the word that's missing here is "predictive." But as you'll see as we go through the product categories, predictive analytics become very, very important because they tell you where to beef up your protection.

Enterprise IT security roadmap overview

All of this needs to be considered in light of your overall risk posture. And what we mean by that is information security risk is not a separate and distinct category of risk from, say, economic risk. Information security risk can actually contribute to economic risk. You need to really think in terms of, "What is the risk posed by not properly identifying and classifying resources?"

And think about that as how it fits into the broader picture of risk. It may not be an infosec risk. For example, not being aware that you have expired licenses may expose you to legal risk because the company that licensed you is going to come after you because you're using unlicensed software. I'm just giving a simplistic example, but the idea is each of these steps poses its own risk that can be assessed in an organizational business context, not necessarily limited to an information security context.

And, oh, by the way, on the side of this, [for] each of these, you should have compliance and auditing so that you can actually validate what you're doing in each of these layers, and that's incredibly important. Each of these layers can be audited individually.

Functionally, that's a nice way to think about how to do things, and it helps a lot of our clients decide what to do first, second and third. But it's a bit high-level when it comes to answering a question like, "Gee, should I beef up my security information and event management (SIEM), or buy a next-generation firewall, or both?"

View All Videos