CEO and co-founder of Institute for Cyber Leadershipa fast-growing community of cyber leaders from over 50 countries.
Getty
Headline hacks help drive global cybersecurity spending, and it is predicted to exceed $188.3 billion in 2023. The ISACA 2022 State of Cybersecurity Survey also confirmed this trend, with 42% of security professionals say their cybersecurity programs are properly funded — an increase of five percentage points.
But through training my company’s cyber leaders from more than 55 countries, I have not observed a direct correlation between cybersecurity spending and cyber resilience. While bad guys keep getting ahead of cybersecurity teams, some business leaders feel like they’re pouring money into leaky buckets. Part of the answer lies in a misallocation of resources. Here are three common ways I’ve noticed cybersecurity teams waste money.
1. Exaggerated reliance on advanced technologies
Technical controls are a central part of cyber resilience. Unfortunately, some cybersecurity teams continue to swing from one emerging technology to another in search of a solution to their cybersecurity problems. This obsession with breakthrough technology is piling up security tools that are beyond teams’ capacity to effectively configure, integrate, and optimize. According to data from 2019, the average company managed to achieve a staggering amount 130 different security solutionswhile medium and small businesses manage 50-60 and 15-20 security tools respectively.
But in cybersecurity, more is not necessarily better. As security teams spread thin across dozens of disjointed solutions, the risk of burnout can also increase. Complexity also leads to uncertainty. As tools proliferate, security misconfigurations increase, the attack surface expands, and vulnerabilities accumulate. In the end, these praised solutions only give a false sense of invulnerability. For example, investing millions in next-generation firewalls that allow unrestricted traffic across the network could be a waste of money. These problems are well founded. According to research, organizations use more than 50 security tools 8% less likely to mitigate threats and 7% less defensive than organizations using fewer security tools.
To minimize cost and complexity, cybersecurity teams should consider leveraging native cloud security capabilities before purchasing separate third-party security tools. By leveraging native cloud security solutions (e.g., data encryption, privileged access management, mobile device management, or security logs), security teams can accelerate deployment while reducing complexity.
Because these controls are integrated by default, the cloud-native approach is often less expensive than third-party security solutions, which often require significant professional services to integrate and maintain. There are still several cases where cloud-native solutions are not fit for purpose. However, the idea is to carefully evaluate the suitability of native cloud security tools before diving into an entirely new toolset, which your team may not have the expertise to manage.
2. Premature hiring of permanent staff
It is common for some new CISOs to be too quick to hire permanent staff before adequately evaluating their needs. But blindly trying to build complex capabilities in-house is often a strategic mistake that blows budgets and exposes critical systems as the hiring process continues.
Take security operations centers (SOCs), which some cybersecurity teams try to build internally. An effective security detection and response function requires several complementary skills: investigators, malware analysts, incident managers, forensic investigators, etc. These resources do not come cheap. For example, incident managers can charge up to $139,000 per year, according to a salary research firm.
An alternative approach is to think carefully about the functions that can be cost-effectively outsourced to specialized firms. A CISO I worked with understood this. When starting a new role, the CISO determined that the predecessor’s approach of building an internal SOC was wrong. The new CISO decided to outsource this stalled project to a global threat prevention, detection and response company. By steering the ship in the opposite direction, the organization has all of its high-value digital assets on board within two months on the same SOC platform used by several Fortune 500 companies, improving detection and response capabilities without bringing in expensive remote workers. rent.
Leveraging the industrial-scale computing power of a global SOC, massive datasets, and advanced machine learning algorithms, the cybersecurity team eliminated billions of false positives, sharpening its focus on bona fide threats. The decision to outsource has freed up money and time for the cybersecurity team to drive cyber transformation.
3. An obsession with security audits
Tightening data protection laws has led to a wave of cybersecurity audits. But some cybersecurity teams get bogged down in endless audits, uncovering too many issues they can’t handle. These costly and duplicate audits often take up a lot of time, distracting teams from their primary mission of securing critical systems. They also create friction with IT teams, who feel that the loosely aligned audit teams keep asking the same questions. As audit fatigue invariably strikes, these reviews become worthless as the audit reports are archived and forgotten after they are issued.
Don’t get me wrong, carefully planned audits are an integral part of cyber resilience strategies. Here are three strategies cybersecurity teams can deploy to save money and ease the strain on IT teams.
1. Actively involve internal and external auditors to avoid unnecessary assessments and reduce pressure on IT teams.
2. Instead of going an inch deep in many areas, prioritize assessing high-quality systems that support your competitive advantage, trade secrets, or most profitable business areas.
3. Start with the basics (eg, high-risk supplier audits or privileged access assessments) before taking on complex assurance activities (such as red teaming or threat hunting).
More needs to be done, but it’s heartwarming to see business leaders devoting more resources to cybersecurity. However, sustainable resilience also requires Chief Information Security Officers (CISOs) to be extremely austere. The modern CISO is both a transformational leader and a voice of financial prudence.
They must relentlessly scrutinize every cybersecurity spend based on its ability to protect the organization’s most important digital assets and contribute to shareholder value. Otherwise, they could come up with deeper pockets, but with a weakened cyber-resilience stance.
todaybusinessupdates.com Business Council is the leading growth and networking organization for entrepreneurs and leaders. Am I eligible?
