Optimal security must not only be attained, but also sustained over time. A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.
'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved. It changes often and likely maintains different targets for the dissimilar parts of the entity.
Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards. The risk is these security controls may be relatively static and entrenched.
Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures. It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes. Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes. Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization. Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.
I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems. At the time, they deployed a platform which took into consideration all the best configurations for hardening. They were so confident they had satisfied security requirements they considered the problem solved. They integrated the security design into their normal platform refresh cycle of system replacement every few years. They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.
The platform’s security, which initially was strong, began to quickly erode. With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs. This created inconsistencies in the builds which was more difficult to support. Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.
This is one simple technical example. The same holds true for the expanse of automated solutions and behavioral security controls as well. Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment. Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.