Scott McCollum, CIO, Sinclair Community College and Chair, Technology First Board of Directors
Every IT organization has their “table stakes” products for providing security over their infrastructure. These are the products such as anti-virus, firewalls, and mail scanning gateways that have become ubiquitous and a part of every IT department’s budget. Beyond these common products there are other, more capable products that are implemented in order to address other risks that the organization feels are in need of mitigation. In addition to this inventory of products that have been implemented, I don’t think I’d be going out on a limb to say that every organization, regardless of size or the number of products that are used, has a list of products that they feel would improve their security posture. If this truly is the case, then how do organizations ensure that the products on their “wish list” address their most important vulnerabilities, and how do they get approval for increasing their spend for yet another product to eliminate their remaining vulnerabilities?
Sorry if you thought I had the answer to this most important question. Unfortunately, the number of vulnerabilities in an organization’s infrastructure are numerous and caused by many different factors. Some are due to bugs in the particular software that the organization uses, some are caused by flawed operational procedures of departmental users, and some are due to misconfiguration of systems. My point is that these issues will always exist and we can’t expect our budgets to continually grow to add more security products. In addition to the vastness of areas where vulnerabilities exist, we are faced with ever-tightening budgets that were already hard to justify increases in prior to the world-wide pandemic that has increased technology support costs while decreasing revenues.
While we can’t eliminate all vulnerabilities, we must identify those vulnerabilities that pose the greatest risk for the organization and focus on these areas for process improvements and technology acquisition. In some cases this means repurposing of our resources, due to the lack of being able to justify additional funding. This repurposing can manifest itself in many ways. One way to repurpose resources is to eliminate products that don’t attack the greatest threats or to acquire a new product that provides these capabilities in addition to other unmet needs. Another strategy is to implement unused functionality in products that are already owned, but under-utilized. In addition to repurposing tools, there are also opportunities in many cases to repurpose personnel to focus on security functions and to work on improving processes and managing security products.
The first step to being able to repurpose your security assets is to take an inventory of your environment for all resources that relate to security. This can be hard to do because there are some products that provide security, which are not exclusively security products, such as Microsoft 365. Once you have a total picture of the security inventory you can understand the security spend for your organization and where you might have an opportunity to repurpose resources. Identifying the risk that each of your products addresses allows you to map your “wish list” of additional security capabilities and determine how you might be able to perform any necessary repurposing before you make that much more difficult attempt to justify new funding.