The Problem with 80/15/5

As I speak with CIOs, boards of directors, and others with responsibility for IT security and risk management, I hear agreement that a new model of cybersecurity is overdue.

For a long time now, organizations have typically spent 80 percent of their IT security budgets on prevention, 15 percent on monitoring and detection, and 5 percent on response.  The problem with this allocation is that the vast majority of the spending is perimeter-based, static and inflexible.  Even the monitoring spend is probably heavily weighted to IPS (intrusion prevention systems), again perimeter-oriented.

In today’s hyper-connected world of openness, where IT perimeters have become more porous and harder to defend, and where successful breaches are expected, if not inevitable, the balance of spending must shift. Without rebalancing this spend, it will become increasingly difficult, if it is not already, for organizations to have the ability to do timely detection of a breach and have the capability to respond fast enough to avoid loss.

As I told the eighth annual congress of public sector security practitioners at the Government Forum of Incident Response and Security Teams (GFIRST) in Atlanta today, a new intelligence-based security model is necessary to achieve true defense in depth.  Intelligence-based security consists of several components.

The first is a thorough understanding of risk.  The next two are the use of agile controls based on pattern recognition and predictive analytics, and the use of Big Data analytics to give context to vast streams of data from numerous sources (including external threat intelligence that resides outside the organization) to produce timely, actionable information.  Furthermore, to operate such a system requires people with the right skills.  And, finally, intelligence-based security requires information sharing at scale.

We at RSA will have plenty more to say about intelligence-based security in the coming months.

About the Author: Art Coviello