After years of neglect we’re allocating finance to cyber security tools, we try and purchase a new system every year to keep progressing and improving, we try and stretch our budgets to afford the best, but things never seem to really get any better.
Before identifying the next new system to procure, we should ask ourselves, “do we really need it?” Cyber security debt is not necessarily technical and financial debt, are we expecting to buy our way out of trouble? Do we actually need to? Do we have full visibility of how effective our current toolset is? Do we really need a new “cyber” system to deal with alerts and malware analysis or do we need to improve the configuration of an IT tool which prevents the requirement for the new systems?
Unfortunately “money-spent” does not equal “well-secured”. There does seem to be a need to buy a new tool, any tool, in the hope it returns a reduction somewhere in our attack surface.
To be confident we are buying the corrrect tool for us at the right time, and that we actually need it, we should be conducting regular assessments of our current toolsets.
This is not often high on the agenda for most organisations, for whom a typical list might consist of;
- Purchase new cyber product ‘A’.
- Recruit more cyber staff.
- Request finance for new Next-Generation product ‘B’ for next year.
- Struggle to retain the current cyber team.
- Ensure the latest cyber compliance requirements are being met.
Regular assessments of our current toolset are a critical component of any cyber security programme. In the same way we can’t defend what we don’t know about, we can’t progress our maturity if we don’t understand our current state.
Whether or not a tool is fit for purpose is incredibly subjective and we need to understand our own environment and infrastructure before making any new purchase. We also need to understand how that technology “fits in” with our current architecture.
“Best-in-breed” does not always mean best for us.
There are many things which influence how effective a certain technology is, these range from how well our staff are trained, to how well it integrates with our other tools and whether it’s well configured and if that configuration is well maintained.
Yes next-generation super cyber product ‘A’ may be amazing and well worth the cost to a large multi-national corporation with offices all over the globe, or even a smaller rival who has an incredibly mature cyber programme, however if our own internal security programme is only mature enough to fully utilise 50% of the functionality then we are massively overspending and not seeing a return on that investment. The same applies to organisations who have an abundance of cyber security technologies however they are not well configured and not monitored by skilled staff, and both situations can create a false sense of security.
Organisations will identify the purchase of a new firewall to cover off the precieved risk, then move onto the next problem. The purchase of the firewall does not equate to a reduction of risk at all if it is not correctly implemented in line with the internal cyber security maturity, and then maintained and regularly assessed.
Yes, well-implemented tools can increase efficiency, improve protection, and overall business performance, however the marketplace is awash with cyber security products which has contributed to this becoming an increasingly confusing area. Often a new technology is seen as the solution to a specific problem. There is an expectation that buying product ‘A’ will resolve problem ‘A’, but this is misguided as technology can only go so far to fill cyber security gaps.
Constant implementation of new tools and technologies is an ongoing resource strain on local IT teams and can create a spiralling environment which is even more difficult to secure, and can result in the organisation moving backwards. Every new self-hosted system in use (including those protecting and monitoring the infrastructure) must be securely configured, managed, patched, and assessed continuously for new vulnerabilities. They also require additional staff training, the creation of new documentation, and available hardware or infrastructure. Maintaining security appliances can become as resource intensive as maintaining business critical infrastructure.
Previous thinking in this area deemed that multiple security technology stacks should be in use, as if a network is compromised, by having different vendors using different technologies, the likelihood of detection would be increased, and the multiple technologies would slow down an attacker. This has subsequently proven to be wrong, and that the real enemy of security is complexity. Toolsets in use should be appropriate for the size of the organisation, it’s maturity level, and the available staff resource. Modern strategies should aim to reduce complexity and increase automation.
Big projects take time, and resource which internal teams have little of. Often a new tool is not required, and an improvement within the current tool set can provide a much better return on the investment. Small incremental changes and improvements in maturity are much easier to resource and sustain. Often large projects take years to complete and during that time the attack surface is not being reduced. Too often large improvements are also made in isolation of other areas, so the full benefits are never fully realised.
We should ensure we always have a clear understanding of our current toolset, the purpose behind each tool, how often they are maintained and monitored. We should identify any strengths and weaknesses each may have, establishing if they are correctly configured, and fully utilised, which in turn allows us to make well informed decisions before starting any new procurement or implementation.
Cyber Security is easy, right?
@2codemonte 