Whatever the means, security investments will always need to be balanced against the resource ca- pacity and limitations of the enterprise organization. “Typically, clients understand they have gaps they need to fill,” observed Stratacore’s Lee Pallat. “You have to guide them in a way that enables them to gradually fill those gaps with an array of managed services, of security tools that fit within the existing resource constraints of the organization. You also need to bring all the different stakeholders together and get them on board, and then push all of that through procurement at an executive level to make sure everyone is aligned.” In the midst of ensuring that planned technologies and available resources are properly balanced, it generally becomes more clear who the key stakeholders within the enterprise organization are likely to be. These individuals should be called upon to craft policies under which IT security should be managed. These policies need to define assets that are in the highest need of protection, who has authority for different aspects of enterprise security, operational requirements, and consequences for violations, In addition to security experts and IT people, Finance often plays a role, as does the C-suite management, Legal, and other teams. One important consideration involves what types of data you want to collect, and how long that data should be preserved. The knee-jerk reaction for some people may be to collect as much as possible and keep it for as long as possible. But that can very quickly translate to a truly massive attack surface, to say nothing of the cost of securing it. Add on top of that the costs of any legal ramifications that can occur in the event of breach. All of these matters lead to very serious questions. “What am I legally required to hold and for how long?” asked Trustwave’s Steve Baer. “Question those things, because the longer you hold onto it, the longer you’re responsible for it. And you’re also re- sponsible for the destruction of that data. Organizations need to be smarter about those things. If it gets extracted, your company is probably responsible for that, too.” AlertLogic’s Jack Danahy said, “If I can be more rigorous in my examination of the data I’m going to store, how I’m going to store it, and how I’m going to link those areas of storage, it definitely reduces the complexity of my environment. And every time I decrease the complexity, I increase my ability to secure it. Taking the time to decide what to keep can be a real fact-finding exercise into what I’m going to look for, and the threats I’m worried about. A collateral benefit of performing that analysis is that I can become more targeted in how I’m going to use my security resources. I can develop a more proac- tive stance, based on the types of data I’m going to gather.” “It’s a complicated issue and I think it’s important to have a guide,” summarized Hayman. “That’s where the trusted advisor comes in to play. They have access to experts from the leading MSSPs. Ultimately, you want to partner with someone who can help you get all the way to your goal. That goal will sometimes need to change, and given the deficit in cybersecurity talent, the only way to do this successfully is to partner.” Copyright © 2020 ACopyright © 2020 AVVANT CommunicANT Communicaations, Inc.tions, Inc. 224 Copyright © 2020 AVANT Communications, Inc. 7