Throwing more technology at security threats as they crop up is not the best way to go if the goal is to protect the most valuable data at the best price, attendees at Interop were told this week.
"My view of the world is we've bought too much product," says John Pironti, president of ITArchitects. "If all these technologies are working, why are we having a breach every week?"
He says that often security measures are costly yet questionably effective. He noted that anti-virus software catches 30% or so of viruses. And some security technologies work at cross purposes. For example, encrypting data as it moves around the network can prevent its being read by attackers, but it also makes it invisible to data-loss prevention gear, he says.
"Technology can add cost without adding value," he says.
Companies that take a step back, review risks, identify and rank their data and develop a plan for dealing with foreseeable problems will wind up with better and more efficiently deployed defenses, he says, and outlines five steps to take:
• Develop an information risk profile for the business. This includes finding out what data has what value to the company, what's acceptable loss, how loss affects partners and suppliers, what controls will be needed and the like.
• Map business processes and track how data moves through those processes. Determine whether data can be handled more efficiently. For example, central databases rather than distributed databases can reduce network complexity and therefore improve security.
• Asset inventory to determine where all the corporate data is. This may be surprising, Pironti says, because it can wind up on devices like employee-owned smartphones and tablets. Classify the data and establish controls for each class.
• Perform threat and vulnerability analysis that works through scenarios of how adversaries would attack the network if they knew its vulnerabilities. Identify countermeasures for each case. Also, get a handle on what attack technology is available to adversaries so the attack scenarios and countermeasures can be better informed.
• Identify and implement appropriate controls based on the previous four steps. Consider whether controls cost more than the downside of compromising the data they protect. Educate users about safer network behavior, for example keeping sensitive data off portable devices. Note: Make sure the controls don't block tasks needed to do business.