When practically everyone seemed to point the accusatory finger at Target for its alleged inattention to malware alerts, we’ve got to admit that a whole lot of us secretly empathized with the retail giant. After all, it was what we can all agree to call, a security shelfware risk that could happen to anyone, well, anyone who purchased a purportedly plug-and-play technology and believed they were good to go.
Placebo is a serious threat to security management. It can be dangerously easy to give in to the sense of security that comes with the deployment of every new security technology. As we learned from the Target data breach incident, a lot could go wrong when your organization lacks the right resources to empirically assess the publicized features of a security implement – both to assay its highest benefits and to understand precisely how it functions.
Small and medium organizations are the hardest hit by security shelfware because they don’t enjoy the same economies of scale that larger companies do and thus face the risk of greater misspending on a per user basis. But, no matter the size of their business, IT teams are overwhelmed with challenges in coping with exposure to increasingly complex threats – a situation that can only get worse with an uncertain security posture and unaccounted costs.
How to be sure that your investment in security implements is being fully utilized?
Organizations aren’t breached because they fail to invest in security, but evidently because they have been doing it wrong.
Whether you purchased a security product solely to satisfy a compliance or regulatory requirement or are under-resourced to utilize its advanced features, it may be easy to ignore the unrealized ROI but you have got to face the fact that your data breach liability is dramatically increasing while you have the under-optimized security software deployed.
Balancing ease of management and visibility
Trustwave and Osterman Research Inc. published a report last year that highlighted the issue of underutilized security software. Every reason behind the increase in unrealized ROI accentuated in the report points to a central issue – the dearth of expertise and time to manage and maneuver security technologies.
Security implements like IDS and SIEM often end up gathering dust because we make the mistake of accepting more than our in-house IT teams can handle. Or, we take for it for granted when a vendor claims his product is all set from the word go, assuming it is at its full potential. In reality, these security solutions work best when handled by engineers with in-depth functional knowledge.
The secret to getting it right is ensuring that the out-of-box functionality the vendor advertised is practicable in your environment. This is typically where most of us make the wrong call. We fail to address fundamental imperatives like, “What can this software do for my enterprise?” Or, “I hear this is a great product but how can I get the most value from it? How do I know if this is what my business needs and whether it’s working fine?”
This makes the case for why managed security can help an organization whose security priorities are constantly shifting and deployment never gets completed properly. Instead of starting with a purchase and then looking for resources to make it operational, it makes more sense to try a solution that has expertise and capabilities coalesced.
Three important advantages of having dedicated security personnel handle security software deployment, optimization, validation and maintenance:
- Gauging functional effectiveness of the deployment
- Verifying that defense level is optimal
- Tracking value and outcomes
While managed security can help reduce wasteful spending, it is not easy to give it your unbridled trust unless the provider prioritizes keeping you ahead of the storm through insightful reporting and status monitoring. Easy manageability does not warrant compromise on visibility. Ensuring that communication channels are active and open is one of the most definitive indicators of the proactive ongoing support that an MSSP should provide.
Always insist on maintaining an up-to-date asset inventory and policy management plan to support audit trails and vendor management reviews.
Don’t spend money to lose more. It pays to seek objective perspectives on security software, the vendor and the service offering from reliable sources.
But nothing helps calculative spending like an operational test run does.
That’s why the 24×7 Managed Security Suite is now available on a 15-day trial period.
Read more about it here.