How Aflac maximizes security ROI

With rapidly evolving threats and increased business risk, security leaders are constantly pressed by the question: Do we have the right technology, people, and processes in place to protect the organization?

CSO’s Derek Hulitsky sat down with DJ Goldsworthy, VP and global practice lead, security operations and threat management at Aflac at the recent Future of InfoSec Summit to discuss just that.

What follows are edited excerpts of the event session on setting up a portfolio rationalization program as part of CSO’s recent Future of InfoSec Summit. For more of Goldsworthy’s insights, watch the full video of the event session embedded below.

On the importance of portfolio rationalization:

Portfolio rationalization is a very deliberate and focused effort to ensure that you are maximizing and optimizing your investment in security. I would say it’s important for two key reasons.

One is in most cases, funding in cybersecurity is finite. We have our roadmaps and our strategies, and we seek investment for those. And in that process, we have to make sure that we are pursuing the maximum return on investment. And so throughout the lifecycle of technology, things can grow stale. Investments that were relevant prior may not be as relevant today. And so it is important to review those investments very deliberately, and to see where things might need to change.

In the same respect—not just from a cost perspective, but rather through the lens of threats and technologies evolving very rapidly, that has a pretty central factor as well. So what has worked in the past for certain types of threats or certain types of new technologies that the company is implementing to support the business may not work anymore. And so we are having to evolve the technology very quickly from a security standpoint to align to the current threats and the current environments and technologies that the business is using.

On future program enhancements:

Our business partners and our IT partners, they want to continue to accelerate. We want to deliver more features to our customers, we want to enhance their experience, we want to get things to market faster. And as such, we are going to have to adopt a lot of new technologies, and there will be threats waiting at every corner, trying to find ways to exploit weaknesses in how we are approaching things. And so the need to look at how we are spending our security dollars and investments we are making and our focus for what processes we need to be putting at the forefront of our roadmap, that is going to be right there.

As we look at the cloud, and DevOps in particular, it really highlights the need for security organizations to take a services-based approach where we are developing services that could be consumed by our partners and ideally where possible in a self-service manner. That is really the way that we are going to get the speed of delivery and the scale of security that we need. So I see the rationalization efforts aligning to that, looking at our capabilities and saying, “Where do we need to be building services—security services?”

An example might be a tokenization service that could be consumed by our developers as they are writing new applications, new code that maybe works with sensitive information. And so you can think about all the different aspects of security that can maybe fit that services model and the type of technology and processes it would take to deliver that. We want to take our rationalization efforts and focus our investment on that type of approach.

On setting up for success:

A lot of security programs get stuck in the hamster wheel of daily operations. And there is a lot of planning and operations type of initiatives going on that draw attention to the here and now. But it is important to step back and spend some time and effort on these higher-order initiatives.

And so the first step is to carve out time from the right team member or members that you want to put on this type of initiative. They are going to have to interview the team and figure out how do we approach everything today? Even your architects are not going to know how everything is done. They will have domains, generally, that they know really well, but you have to look across the entire spectrum of cyber and all the tools and people and processes that are in place. That takes a good bit of time, and you have to commit to that up front.

The second step is setting some initial targets. Set some conservative targets, some things that you know you can book quick wins with, and then set some stretch goals—stretch targets—that if the program is wildly successful, this is what that will look like. And then just manage toward those goals. Try to get those quick wins. It might be looking at how we can get a 10% reduction of our current investments into a pool that we can then appropriate to something new. And maybe the initial effort is just simply looking for duplicative technologies. Where do we have duplications of capabilities where we can do some pretty easy divestment without having to do any full rearchitecting of things.

And so those quick wins, they build momentum. They put faith in the program. If you have shown those early wins, then it is really not hard to justify the investment of resources in this type of initiative.

This article originally appeared in CIO’s Center Stage newsletter. Subscribe today!