NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Requirements, Requirements, Requirements

May 26, 2022

  • Blog
  • Archive
  1. Home
  2. Blog
  3. Requirements, Requirements, Requirements

We’ve probably all heard what’s important when buying a house, “Location, Location, Location”, but what’s most important when buying a cybersecurity product? As the title indicates, it’s the requirements you assess the products against. In this blog, I will give you some tips to help you in getting those right. With that in mind, let’s change the title of this blog and get into the details.

Top 5 Tips for Good Cybersecurity Requirements Gathering

Tip 1 – Know Your Stakeholders

This is important regardless of the type of project you are embarking on, but doubly, or even triply, for cybersecurity projects. All projects have sponsors and stakeholders. The sponsors are those team members who are providing the money, resources, and support, that will enable you to deliver the project. The stakeholders are those who have a real interest in the outcome of the project. This will include everyone who is impacted in any way by the project’s delivery, both during and after implementation.

As we know, cybersecurity is everyone’s responsibility, meaning the stakeholders are effectively everyone in your organisation. This could extend even further as changes to your cybersecurity requirements are likely to impact your supply chain too. We can’t have everyone involved with a project, certainly not if we want it to reach completion, but we can identify individuals to represent groups within the organisation. Those champions will be our proxy stakeholders and, the sooner they are involved with the project and supportive of the goal, the more chance we have of a successful implementation.

Cybersecurity can be a sensitive subject. We need to remind people that we all work for the organisation, not each other. The real value for everyone is in what they do, not the ‘responsibility’ they hold – I’m looking at you IT (Information Technology) Admins. Being responsible for a directly accessed superuser account (or 10) is infinitely less important than keeping the systems they are used with operational.

Tip 2 – Focus on the Problem, not the Solution

While it’s common to want to show that you understand the technology being purchased, chances are that the vendors you are sending your RFx documents to know the space even better. What you know far more extensively than any vendor is your organisation.

No one starts any project without a problem to solve. In cybersecurity, an audit finding is often the starting point, but it’s important to recognise the finding as the catalyst, not the cause. Failing in this regard will result in a box-checking exercise that will be poorly defined, overly expensive, and ultimately fails to deliver real value into the organisation.

The audit finding highlights a problem. Your goal is to understand how the business will benefit from solving that problem, beyond the audit finding itself. An example of a common finding is that the organisation has poor control over the use of privileged accounts. If that’s you, don’t feel like you are doing badly or that everyone else has this sorted – you aren’t and, for the most part, they don’t.

This situation is generally the result of two major problems:

  • Too many people have uncontrolled access to privileged accounts
  • Your security model is too complex

The first problem is obvious, the second is probably causing some furrowed brows. Too many superuser accounts means your security model is significantly more complex. The lifecycle of those accounts needs managing, the activity on those accounts needs monitoring, and the sheer number of those accounts can make it impossible to reliably find malicious activity. All of that contributes to a complex cybersecurity model.

This is a good example of the problem not always being the issue in front of you. It’s also a good example of where your knowledge of the organisation is vital in digging for and identifying the real problem.

Certain people need access to privilege to do their jobs. We need to enable them in that without unnecessarily increasing the risk to the business. With the problem identified, it’s become the requirement. Vendors can propose effective solutions to that problem, and you can link the outcome directly back to a business benefit of risk reduction. Satisfying the audit finding is the ultimate outcome and is a natural result of solving the real business problem.

It's also important to focus on solving ‘the problem’ and not letting scope-creep explode the project into something that becomes too big to address. I’m a huge fan of fewer dashboards, but I’m a bigger fan of the right solution to the problem. When your boat is springing leaks everywhere, sealing the holes is far more important than finding a way to do it with a single plank of wood.

Tip 3 – Change means Change

When we are under attack, both from cybercriminals and the stresses of our jobs, it’s a natural response to look for quick fixes to our problems. Technology is often where we look to solve those problems. The cry of “there must be a tool or app for that,” is heard in offices across the world—constantly. Technology is rarely the whole of the solution.

When you change your toolset, you will need to change the process as well. When we change process, we need to educate our people so they can effectively use the new tool and the new process.

Three elements, people, process, and technology are involved in any significant business change. This is why I say, “change means change”. Missing out any of these areas will result in a less effective solution and a lower return on investment. And in the worst cases, the project may utterly fail, and you’ll possibly be left further back than where you started.

Technology is a tool. Tools are used by people to execute processes. Simply adopting a new technology is the IT version of papering over the cracks. The cracks remain and over time, the cracks will grow – hidden behind the paper – until they cause the paper to split and the wall to fall. If you want to get the best value out of your tools, ensure they are right for the changes you are making to your business processes.

Referring to our example in Tip #2, certain people need access to privilege to be productive in their role(s). The primary business problems, in this example, are an overly complex cybersecurity model and no control over or visibility into when or how the privilege is being used. This points to the solution being a process change in how access to privilege is managed and monitored. This expands into a series of actions as follows:

  • Moving away from individual access to privilege (simplifying the model)
  • Implementing technology to control access to privilege effectively and efficiently
  • Developing process to guide and direct users who need access to privilege
  • Training those users in the technology and the process

As you can see, you need to do all these things to realise the value in the solution. Missing a step is going to create friction and frustration. Change means Change and we must embrace that.

Tip 4 – Validate the Cybersecurity Requirements

It’s not unusual for the person running a project to lack expertise in the problem area. A common approach to requirements gathering is to solicit a list of requirements from project stakeholders. These lists are then provided to the project manager. who collates the responses and generates a final requirements list.

Depending on when requirements gathering happens, the list of requirements will tend to include items that are one of the following:

  • Features that a respondent would like to see, or has seen, in technology currently available
  • Ways in which the solution should work or be implemented
  • ‘Depth-charges’ designed to derail the project

The last item is usually the result of engaging the stakeholders too late in the project. I’ve been involved in many cybersecurity projects that involved meetings with confused individuals who didn’t know why they’d been invited. That confusion turns to anger when they are told their working practices are changing, and the technology is already being evaluated. These stakeholders then present ‘requirements’ for the solution that they know are either impossible or highly impractical, though they may, in fact, sound reasonable to the project manager.

The first two items in the list are often the result of stakeholders being briefed late in the project and, thus, having inadequate time to digest the impact to their part of the business. A short timeframe for responses will also often result in a list of features harvested from a vendor website, especially if the respondent is familiar with a particular solution. Familiarity with a solution is undoubtedly a boon with regard to training, and a personal recommendation must not be undervalued. but both must be considered within the context of the current organisation.

The project manager shouldn’t be asked to assess the requirements, even if they are knowledgeable in the subject matter. A proven best practice is to collate the responses and then send them back out to the respondents so everyone can all evaluate all the responses and, ideally, be able to articulate how each will benefit the business. This process also produces a good set of measures with which you can evaluate the chosen solution’s effectiveness.

Sending the raw list to vendors isn’t going to end well, or at least, not as well as it could.

Tip 5 – Make Cybersecurity a core part of your Business Fabric

Cybersecurity isn’t an extra function within your organisation. It’s not an add-on to any system or process you are using, it’s fundamental to doing business in today’s market.

We’ve all seen the headlines over the past 5-10 years, businesses brought to their knees because of a cyber-breach. It’s important to bear in mind that those headlines only tend to cover the larger, more well-known companies impacted.

We are dependent on the technology we use. We are almost entirely dependent on it, in fact. Certainly, to the point that maintaining the operation of those systems is essential for our business resiliency and continuity. When you consider cybersecurity in those terms, it’s clear that every system, and every project to implement a system, must be secure. It’s no longer an option, it’s the first consideration.

We need to change our thought process from “how do we implement this system and secure it”, to “how do we securely implement this system”. That means baking cybersecurity into our processes, everywhere—it should become part of the fabric of the business, the cloth the company is woven from.

Doing this will involve combining new projects with existing and planned cybersecurity solutions. Every time we do this, we add more value to those solution by deriving more business benefits from them. That may be as simple as just easing the implementation of a new system because the environment is already well-secured and prepared for expansion. By using every cybersecurity project to move toward that ‘baked in’ approach to cybersecurity, we increase the value of those projects and make business run smoother.

Any solution we implement needs to work well within our organisation and, in achieving this, becomes a fundamental part of the process of business itself. The more solutions we implement that enable our colleagues to be as, if not more, productive in their roles, the more they’ll be willing to be a part of the cybersecurity journey.


Photograph of Brian Chappell

Brian Chappell, Chief Security Strategist

Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From May 25, 2022:
The 2022 Edition of the Microsoft Vulnerabilities Report is Out – Despite Uneven Progress, a Picture of Elevated Vulnerabilities Remains
From June 2, 2022:
Why Identity & Access Security is Pivotal to Digital Transformation Success

You May Also Be Interested In:

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.