As the cybersecurity landscape evolves rapidly, organizations are working harder than ever to navigate security threats without interrupting business growth and innovation. However, cyber threats, by definition, are unrelentingly chaotic. They are governed by unfair rules, evolve constantly and remain unpredictable, leaving organizations constantly grappling to keep up. This, of course, is totally by design. It not only benefits cybercriminals, but it is also used by security vendors to obtain commercial leverage who promise to offer businesses the next ‘silver bullet’ to all their security woes.
“Chaos is a ladder in The Game of Thrones” - Bran Stark
IBM commissioned Forrester Consulting to evaluate the state of security complexity and the effect it has on security efficiency and effectiveness. To explore this topic, Forrester conducted a survey with 200 global security professionals responsible for security strategy and/or security technology purchases. It was discovered that nearly all respondents report concerns over complexity.
Based on my extensive observation over the years, I’ve witnessed that there still remains a certain nascent nature to the way in which cyber security solutions are provisioned. More often than not, organizations have responded to the increasing threat of data theft by investing in an eclectic mix of point solutions. Most of these would have undoubtedly promised the world, but sadly and more often than not, end up becoming a part of a haphazard, disjointed system that only hinders the ability to stop or spot breaches.
The report by IBM confirms this observation - organizations do not benefit from adding more point solutions; and despite tall claims made by security solutions vendors, they do not simplify anything. On the other hand, they further compound an organization’s concerns and rapidly deplete its resources by requiring lengthy deployment cycles, complex integrations, and extensive user training - in order to ensure that these multiple technology investments deliver results.
The Fog of More
Tony Sager Senior Vice President and Chief Evangelist of Center for Internet Security talks about ‘The Fog of More’. Essentially, he is referring to the challenges that complexity introduces - the more there is to think about and manage - the harder it is to do. While the goal may be to increase the sophistication of your security systems, ‘analysis paralysis’ creeps in fairly quickly - because the complexity of disparate systems is not easy to reconcile or leverage in meaningful ways.
Data from the US Government Accountability Office concludes that Data Breaches are outpacing spend on cyber security solutions by a factor of 4 to 1. The evidence is quite clear - we cannot spend our way out of trouble!
And yet, the IBM report indicates that while organizations are spending more, they may not necessarily be doing so wisely. There is immense organizational pressure on business leaders to ensure that they are preemptively avoiding harmful data breaches. As a result, they are now investing their increased security budgets into a wide variety of disparate point solutions. The study found that, on average, 52% of security products and 77% of vendors have been added within the last two years. This buying frenzy has intensified the complexity of the security system, but it has not necessarily added value to the overall maturity of an organization’s security program.
Further compounding this predicament is a skills deficit combined with massively varied growth in data volume and type. While data that has to be managed and secured grows exponentially, there simply aren’t enough people to do it, which leads organizations again to the default solution of wanting to buy more technology to help solve the problem. Unfortunately, this rarely, if ever, actually pays off.
The Way Forward: Cybersecurity as an Ongoing Process
What we have to and in fact must do, is to regard cyber security as an ongoing process first and foremost. Yes, that process should be underpinned by technology but the acquisition of those point solutions has to be done to fill identified gaps in a proven best practice security process. What I’ve observed and what also is validated by the IBM report, organizations that have taken steps to simplify their security ecosystems, including consolidating solutions onto a single management platform, have seen meaningful outcomes.
Invest in User Education
End users within an organization often tend to be the biggest risk to its information security. Often due to a lack of awareness, your employees may inadvertently compromise security, whether by action or inaction, leaving the virtual gates of your organization open to attackers
With cyberthreats becoming more complex and menacing, as well as the sharp rise in the consumerization of IT and BYOD, it is more important than ever to offer comprehensive training and education to your employees about security attacks and means of protection.
Adopt a Framework Approach
By adopting a framework approach, you can avoid any potential ‘emotional purchase’ and guarantee that any technology you do buy will have a unified and shared purpose, which is aligned to all other solutions you provide and contributes to your ultimate aim of securing your organization’s data as effectively and efficiently as possible.
NNT recommends the Center for Internet Security (CIS) Critical Controls - a well-established and proven framework that is both group and risk based, in order to make it appropriate and effective for every size and shape of organization.
I suggest starting with the first 6 CIS controls, all of which can be underpinned with a few clever technology purchases and can be built up from there. This alone has proven to mitigate north of 90% of all breaches and will elevate you into an elite group of organizations doing things the most cost-effective way.
If you’ve been caught in an avalanche of technology options for cybersecurity and can’t decide the best way forward, I recommend pressing the pause button for a while, consider simplifying your strategy and most importantly, familiarize yourself with a best practice approach for protecting your organization's critical assets and data.
If you’re looking to draft an approach to build your security foundation and want to know how you can automate the CIS controls, please download our Essential Guide to the CIS Controls.
Share this post