Return on security investment is more than a matter of dollars and sense, it’s also about ensuring the security technologies you’re employing stand up to today’s threats. Credit: photomaster/Shutterstock With rapidly evolving threats and increased business risk, security leaders are constantly pressed by the question: Do we have the right technology, people, and processes in place to protect the organization?CSO’s Derek Hulitsky sat down with DJ Goldsworthy, VP and global practice lead, security operations and threat management at Aflac at the recent Future of InfoSec Summit to discuss just that.What follows are edited excerpts of the event session on setting up a portfolio rationalization program as part of CSO’s recent Future of InfoSec Summit. For more of Goldsworthy’s insights, watch the full video of the event session embedded below. On the importance of portfolio rationalization: Portfolio rationalization is a very deliberate and focused effort to ensure that you are maximizing and optimizing your investment in security. I would say it’s important for two key reasons.One is in most cases, funding in cybersecurity is finite. We have our roadmaps and our strategies, and we seek investment for those. And in that process, we have to make sure that we are pursuing the maximum return on investment. And so throughout the lifecycle of technology, things can grow stale. Investments that were relevant prior may not be as relevant today. And so it is important to review those investments very deliberately, and to see where things might need to change. In the same respect—not just from a cost perspective, but rather through the lens of threats and technologies evolving very rapidly, that has a pretty central factor as well. So what has worked in the past for certain types of threats or certain types of new technologies that the company is implementing to support the business may not work anymore. And so we are having to evolve the technology very quickly from a security standpoint to align to the current threats and the current environments and technologies that the business is using.On future program enhancements:Our business partners and our IT partners, they want to continue to accelerate. We want to deliver more features to our customers, we want to enhance their experience, we want to get things to market faster. And as such, we are going to have to adopt a lot of new technologies, and there will be threats waiting at every corner, trying to find ways to exploit weaknesses in how we are approaching things. And so the need to look at how we are spending our security dollars and investments we are making and our focus for what processes we need to be putting at the forefront of our roadmap, that is going to be right there.As we look at the cloud, and DevOps in particular, it really highlights the need for security organizations to take a services-based approach where we are developing services that could be consumed by our partners and ideally where possible in a self-service manner. That is really the way that we are going to get the speed of delivery and the scale of security that we need. So I see the rationalization efforts aligning to that, looking at our capabilities and saying, “Where do we need to be building services—security services?”An example might be a tokenization service that could be consumed by our developers as they are writing new applications, new code that maybe works with sensitive information. And so you can think about all the different aspects of security that can maybe fit that services model and the type of technology and processes it would take to deliver that. We want to take our rationalization efforts and focus our investment on that type of approach.On setting up for success: A lot of security programs get stuck in the hamster wheel of daily operations. And there is a lot of planning and operations type of initiatives going on that draw attention to the here and now. But it is important to step back and spend some time and effort on these higher-order initiatives.And so the first step is to carve out time from the right team member or members that you want to put on this type of initiative. They are going to have to interview the team and figure out how do we approach everything today? Even your architects are not going to know how everything is done. They will have domains, generally, that they know really well, but you have to look across the entire spectrum of cyber and all the tools and people and processes that are in place. That takes a good bit of time, and you have to commit to that up front.The second step is setting some initial targets. Set some conservative targets, some things that you know you can book quick wins with, and then set some stretch goals—stretch targets—that if the program is wildly successful, this is what that will look like. And then just manage toward those goals. Try to get those quick wins. It might be looking at how we can get a 10% reduction of our current investments into a pool that we can then appropriate to something new. And maybe the initial effort is just simply looking for duplicative technologies. Where do we have duplications of capabilities where we can do some pretty easy divestment without having to do any full rearchitecting of things.And so those quick wins, they build momentum. They put faith in the program. If you have shown those early wins, then it is really not hard to justify the investment of resources in this type of initiative. This article originally appeared in CIO’s Center Stage newsletter. Subscribe today! Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe