Architectural Strategy Rationalization

A security team always has one of three strategic choices for its security investments.

  1. A perfect security strategy. Costs are not a factor; you want to close every door and seal every compartment. This is the most expensive option.
  2. A good enough security strategy. You want to optimize for the lowest cost of doing business with maximum effectiveness. Under this approach, you will look for products that are broadly capable, highly integrated, and reliable.
  3. Only your own security strategy. In this scenario, you may have the resources or the proprietary or classification demands to require its own security. It will then embark on building its own capabilities.

By deploying the Security Optimization Platform and testing your capabilities, you understand if perfect is perfect, or good enough is good enough, or whether you want to build your own capabilities to fill specific gaps. By exercising your capabilities, you determine your requirements.

Companies need to be able to test security control effectiveness under a change of security policy. Do you want higher walls, or more freedom? If you want to raise the quality of life for its team, trading tight security controls with the user in mind, you may opt to shift from preventive security to detection and put the onus on your incident response team. An example of such a choice was the Pentagon’s decision in the mid-2010s to allow Service Members to use Gmail on the Defense Department’s unclassified network. In this instance, the Pentagon could use the Security Optimization Platform to test the incident response team to see what issues might arise as the Defense Department transitioned from banning Gmail on its networks (to prevent breaches and spills) to enabling users to use their personal email. AttackIQ’s scenario library and open API would allow an enterprise to test the organization’s security effectiveness.