It’s a simple premise that applies to virtually all areas of your life: You have to assess where you are in order to formulate a plan to get where you want to be.
If I just show you a map and tell you to give me directions to the Golden Gate Bridge you won’t have any clue how to do that unless you know where I’m starting from. The directions from Houston will look very different from the directions from Los Angeles.
The same mantra holds true for security. I’ve worked with many clients who were shopping for new security tools to perform functions their existing software could already do–they just never stopped to figure out what their existing software could do. Make sure you have a solid idea of what your security strengths and weaknesses are before you look to invest in new or different security tools and policies:
Business intelligence and big data analytics are valuable tools for organizations. Collecting and analyzing the right metrics related to current and past performance helps businesses develop effective plans for the future. This is especially true when it comes to securing your network and protecting your data.
Think of it like making a trip to the grocery store. You can just walk in and shop. You can make guesses about what items you might be out of or just grab whatever looks good in the moment. When you get home, though, you might find that you’ve wasted a lot of time and money on duplicate, unnecessary, or frivolous, items. It’s much more effective to have an accurate inventory of what you already have and a plan for what you intend to prepare over the next few days so you can shop efficiently and cost-effectively.
The same logic applies to your security posture. If you have no idea how well your current security tools and policies are working, or in what areas your existing security posture might be deficient you can’t possibly make an effective plan for how to adapt or improve your security for the future.
Imagine making security decisions in a vacuum. Consider how silly it would be to spend thousands or tens of thousands of dollars on a new antimalware tool when the antimalware protection you already have is already doing an excellent job of protecting your network and endpoints from malicious exploits. No matter how great the marketing campaign or how much of a “bargain” the new antimalware might seem, it would be a ridiculous waste to invest in a new solution if the one you already have works.
The flipside of that scenario is also a problem. Perhaps your antimalware solution is adequate, but there’s room for improvement so you blow your entire security budget to buy the hot new antimalware product without realizing that you don’t have any security at all in place for data on employees’ mobile devices. Even though the new antimalware may be incrementally better than what you had, your overall security posture would benefit much more from filling the void and protecting mobile devices.
Read the full post on the RSA Conference blog: If You Don’t Know Where You Are, How Do You Know Where You Are Going?