1. Practical IT Research that Drives Measurable Results Build Security Architecture & Roadmap Implementation

2. Introduction Most organizations acquire security tools in a reactive manner. This results in inconsistent security that doesn’t meet organizational goals. A Security Plan eliminates this problem, preserving resources. On average, plan development takes 8 months and costs $108,000; a major inhibitor to plan adoption. This solution set eliminates those costs. This solution set addresses Security Planning is three steps: Developing an Implementation Roadmap Getting Planning Started Building the Right Architecture Small and mid-sized organizations that do not have a formal security plan in place will benefit from completing the Security Architecture and Roadmap Planning Tool. This set will define an appropriate security architecture and develop a custom deployment roadmap. These tools will improve security while saving the costs of plan development and streamlining future investments.

3. Executive Summary IT Security Planning is costly and time consuming. Using the Secure Network Design and Roadmap tool is a cost free and quick way to create your organization’s ideal network design and tool implementation roadmap. Involve the business side in IT Security Planning, it is not only an IT Exercise. Involving the business results in: Better business buy in. Easier cost validation for new security tools. More insight into future business directions. Businesses do not require every security tool. Proper planning prevents organizations from boiling the ocean and allows them to focus on the tools their organization require. When it comes to tool implementations, timing matters; planning and roadmapping ensure that tools are implemented in the order that is most appropriate and most secure for the organization.

4. Developing an Implementation Roadmap Getting Started Why perform security planning? Planning and requirements gathering The Value of Plans How deployments fail Building the Right Architecture

5. Security Plans save money and improve enterprise security Improve Organizational Security 55% of organizations that used security plans said that they deployed their security tools in the most secure order. The IT Security Planning exercise encourages organizations to take all aspects of the organization into consideration in order to create a security plan that best meets their needs. Save Money 45% of organizations that used security plans said that they would not have saved more money had they deployed tools in a different order. Shift Business Perceptions on IT Security and Spending The planning process involves the business side of the organization. Keeping the business in the loop will improve the perception of IT and will help shift the perception of IT from a cost center to a vital part of the organization.

6. Security Planning is essential to the effective deployment of security tools Do: Take all inputs into consideration. Also plan for future business and IT goals and requirements. Don’t: Place too much emphasis on incident response – being reactionary undermines efficient planning. Do: Make acquisitions according to established plans. Don’t: Purchase security tools just because they are new or because “everyone else is doing it.” Only purchase tools that are necessary. Do: Implement tools in the order that best supports the required level of security and the priorities of the organization. Don’t: Deviate from established plans. Reactionary implementations can lead to higher costs and less than ideal architecture. Planning & Requirements Gathering Determine what the organization’s security needs are and where their priorities lie. You may need to gain business buy-in at this point. Determine Required Tools* Once needs and priorities are established, the organization is able to determine what specific security tools they require. This list is based off of business wants and IT requirements. Determine Implementation Order** Determine the order that the security tools should be implemented in. Organizations will have different implementation orders depending on where their priorities lie. * See the “Building the Right Architecture” section for details. ** See the “Developing Implementation Roadmap” section for details.

7. Planning and Requirements Gathering not a one step process; involves multiple inputs to create a plan that works The following four areas are key areas of consideration when in the planning and requirements gathering phase: Risk Assessment Business Requirements Incident Response Regulatory Pressure Organizations will not have to focus on each of these areas equally, find the balance that is right for the organization’s particular needs. Consider each of the following areas when creating your security plan. Different areas will be more relevant to your organization than others.

8. Not all inputs are created equally; determine which inputs are most important to you Risk Assessments: A primary contributor to security plans. After risks have been identified, organizations set out to implement tools required to minimize them. Pros: Clearly identifies the areas that are of most significant concern allowing the enterprise to build accurate plans. Cons: Risk Assessment is a time consuming process. Completing it enterprise-wide can slow down Plan development significantly. Regulatory Pressure: Companies required to meet compliance requirements will need to take these into consideration when performing a security plan. Pros: In many cases, regulatory requirements are generally easy to obtain, clearly laid out and often include an order of implementation. Cons: Compliance is demonstrated through “snap shot” audits that may not be indicative of on-going status. Breaches and Threats: Many organizations implement tools in response to a breach or threat. Reaction is needed but should never be the only input. Pros: Problem areas can be identified and fixed immediately, preventing additional/potential breaches. Cons: Focusing too heavily on breaches encourages unplanned and/or rash security tool purchases and changes. Business Requirements: Knowing what the business expects makes it easier to meet their needs and justify budgetary requirements. Pros: Understanding what the business wants allows IT to deliver better service and improves the perception of IT. Cons: The business may ask for things that IT cannot or will not provide, resulting in a loss of trust and break down in relations.

9. 2010 research shows that organizations with formal security plans feel more secure Info-Tech research shows that organizations that 91% of organizations that had performed formal security planning also had formal policies in place. Without proper plans and policies in place, organizations are vulnerable as they do not have mechanisms in place to deal with security issues. If there is a security breech or loss of data and an organization does not have established rules in place, they can loose precious time while trying to figure out what to do. In this situation, the organization may also be legally implicated and can be liable for any losses or complications. Companies with security documentation have the satisfaction of knowing that their IT security is appropriately scoped and designed. Also, they will generally have mechanisms in place to vet and update the plan regularly, ensuring the highest level of security possible. N=35 Organizations with formal security plans are 4.5 times more likely to feel secure than organizations with no plans in place.

10. Lack of business buy-in prevents some organizations from performing proper security planning Business culture lacks an awareness of security. Security planning is required, and there is insufficient resources currently in place to start and keep the momentum moving forward. - Team Member, Utilities “ ” Many things keep us from performing security planning; other priorities, limited resources and the perception that we are not a strong candidate for security incursions. - Manager, Public Administration Business culture and management perceptions need to change to bring more focus on security awareness. - Manager, Manufacturing The security plan is our most valuable piece of security documentation, but its intangible nature makes it hard for non-technology business management to understand. - CIO, Finance Convey the importance of the Security Planning process to the business in non technical terms. Explain the importance of the planning exercise Let the business determine their specific needs. This gives time to go back to discuss if their “wants” are realistic in terms of available time and resources. Involve the business early in the process Be sure to notify the business of big changes and upgrades. Let them know how this will affect them. Keep the business in the loop Planning is difficult when the business is not on board: It is difficult to get the time and resources necessary to complete the planning if the business does not see the benefit of the exercise. Justifying the budget required to purchase the tools to become secure is difficult when the business is not security focused. Do these three steps to get business buy-in: “ “ “ ” ” ”

11. Deployments gone wrong; the problems of not using a formal Security Plan Security Gaps Informal, ad-hoc security planning results in security gaps as the organization fails to implement the right tools in the right order to maximize security. Example: An organization that had recently purchased a Unified Threat Management solution that included gateway anti-malware protection decided that endpoint anti-malware was no longer necessary. When one of their remote employees who had been disconnected from the network connected to it with his infected laptop, a virus ran rampant through the network since the endpoints were all unprotected. With proper planning the organization would have considered the risks that remote workers presented and would be required to take the necessary steps to mitigate these. Not Meeting Business Requirements Neglecting to formally establish what the business’ security requirements are can result in failing to appropriately serve and protect the business. This can be costly in the long run. Example: A sales organization that had plans to move to online sales never conveyed this to IT and IT never asked what the business’ plans were as they never went through the IT Security Planning process. The organization’s Security Network Architecture supported the “old” requirements but not the new direction. When the new direction was communicated, IT was unprepared to support the needs of the company. In the end IT needed to delay the business’ move to online sales while they changed the gateway security infrastructure. Inappropriate Tools in Place Info-Tech research shows that companies with no formal IT Security Plan in place show significant randomness in the tools they choose and the order in which these are implemented. Example: A financial organization that needs to meet specific compliance requirements purchased Content Filtering and Data Leakage Protection systems after implementing baseline tools when they should have implemented a Management System next to monitor all of the tools they already had in place. The high cost of the Management System caused them to look for cheaper tools first. This misalignment resulted in the organization failing to provide conclusive reporting for security auditing purposes.

12. Info-Tech Helps Professionals To: Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP