Volume 8 of the AT&T Cyber Insights report looked into whether organizations who are investing more in cybersecurity are achieving better outcomes than those who aren’t.
The outcome of the research was a resounding no.
On the surface, this may seem counter-productive. After all, how many CISO’s have you ever heard complain about having too much security? However, if we look at the trend as an inverted U, or the law of diminishing returns, when you overdo something, you eventually stop seeing benefits, and may even see losses.
Getting the Porridge just Right
Much like Goldilocks, the question that arises is how much security is just right?
Former Director of the Enterprise Security Practice at 451 Research, Wendy Nather, wanted to establish The Real Cost of Security. In her research, security professionals provided a wide range of responses as to what security technologies are needed, with the majority of the respondents being able to trim down their list to around 10. The pricing of these 10 technologies varied greatly depending on a number of factors such as vendor, mode of deployment, whether it was open source, and so on - the price range varied anywhere from $225,000 to $1.46m in the first year, including technology and staff.
Expense in Depth
For many companies, especially those with small or mid-sized security teams, managing 10 or more individual security products can be challenging.
Former Forrester analyst Rick Holland coined the phrase ‘expense in depth’. That is where many companies will use the defense in depth concept to justify the need for more security products. The problem with this approach is that it can lead to buying too many technologies which don’t complement each other, which inevitably results in a multi-layered approach that provides minimal return on investment.
This leads us to a bit of an impasse. A variety of security controls are needed to provide adequate coverage. But too many security products lead to an increase in expense not just to procure, but to manage, which can lead to security shelfware.
More Capability in Fewer Products
In order to avoid some of these pitfalls, companies, especially ones with small to mid-sized security teams, should look to invest in fewer products that offer greater functionality.
The good news is that many security technologies have become standardised and no longer need to be acquired or deployed individually. For example, vulnerability scanning is largely a standardised function. While some scanners may perform better than others - by and large, you can point it to your assets and receive an expected output.
So, the question companies should ask, what benefits are being gained by running vulnerability scanning as a separate service with a standalone technology? Compare this to a platform which offers several security functions of which vulnerability scanning is one. The same could be said for anti-virus, or IDS, or SIEM’s. The value in running any of these as dedicated standalone services is diminishing.
Take the example of your smartphone. It has replaced many devices such as a pager, phone, camera, even a flashlight, into one device.
One could argue that a standalone dedicated camera, or flashlight is a superior product, which may be true, but it comes with the overhead of additional batteries, and carrying those devices around.
Getting a Helping Hand
In addition to reducing the number of disparate security products, companies can also take advantage of managed security providers that can complement their teams’ security capabilities.
This can be a good approach to offload non-critical monitoring tasks, so that the in-house security team can focus solely on protecting the crown jewels within the organisation.
One of the additional benefits of this approach is that it takes the process of choosing the right technology away, too. The MSSP will monitor logs and alert you if there is something that warrants further investigation.
Think of it like your energy provider. You may not know how your provider is generating electricity, maybe it’s burning coal, or using wind-farms, solar energy, or some other option, the end result is the same - you receive a consistent supply of electricity coming into your home.
The third leg of the stool could be cyber insurance. This is perhaps of more importance for smaller companies wanting to do business with large enterprises which may insist on cyber insurance in the event of an incident or a breach.
As companies rely more and more on their digital infrastructure, any disruption has greater impact on the bottom line. Ransomware can grind businesses to a halt, and leak of sensitive documents can have far-reaching consequences such as damaging critical business relationships.
Managing the Risk
Ultimately, cybersecurity boils down to managing risk. As Todd Waskelis, AVP at AT&T cybersecurity solutions said, “It’s not about the number of dollars an organisation spends that leads to them reducing risk. It’s whether you have approached this from a business perspective and you have a risk management program that will not go stale.”
Having a business-focused risk management plan doesn’t mean having all of the best security technologies in place. Sometimes it means having enough of the right security technologies in place, having the right partners, and even transferring some of the risk via cyber insurance.
Considerations for your security strategy:
- Consolidate your security tools
- Outsource functions to an MSSP
- Offshore some risks via Cyber-insurance