Why Security Spending is Not Enough

security spending

Gartner puts worldwide spending on information security products and services in 2016 at $81.6 billion. That’s about $5 billion more than the year before, yet no one is under any illusions that breaches are on the decline.

That’s because spending isn’t enough. You need to be building on a bedrock of best practices to get results. ITIL (formerly the Information Technology Infrastructure Library), for instance, is an excellent place for healthcare IT departments to start. It is, however, just one collection of best practices.

1. Stick to secure configurations

Fundamental to maintaining system integrity, you should be starting from a well-known and secure configuration. Whatever the demands and pressures of the business to implement change quickly, it should only be to another well-known and secure configuration. It’s important that the integrity of a configuration be maintained during any change process.

2. Which best practices to follow

ITIL defines three closed-loop processes that healthcare IT departments can use as foundational controls. They drive availability but have additional benefits in terms of uptime and a solid security footing.

The processes in question are:

  1. Configuration management
  2. Change management
  3. Release management

Following these processes closely means knowing your servers are secure and validated with a working configuration. When you have those things, you have a strong incentive to be rigorous when considering (let alone applying) changes like patches, adding new software, or changing hardware.

Managing change well is absolutely fundamental to an organization’s security. The best security policies, procedures, and technologies can be undermined the instant change management goes wrong.

Again, ITIL is not the only choice when looking for a best practice guide. But if you are not following a recognized guide of some stripe—whether it’s ITIL, COBIT, or another—alarm bells should be ringing.

3. A change in philosophy

When you’re too focused on point-based technology solutions and not focused enough on following best practices, you can expect to be breached.

A philosophy that gives priority to core control processes will lead to a higher availability rate and fewer breaches. That’s something that is easier to achieve when you don’t see security as a feature that is bolted onto an existing IT framework or system. Bolting on security can’t help you if your underlying environment is insecure.

4. Balancing the budget

Look to balance your spending appropriately between impressive new threat intelligence tools and the fundamentals of employing and maintaining controls. If your IT control process is broken, it’s probably a good indicator your security is broken, too.

Related Reading: