It’s that time of year when IT professionals meet with finance to determine their budget for the year ahead. And this year’s planning process appears to be a gloomy endeavor with the industrywide view that cyberthreats will continue to evolve, both in terms of their destructive capability and their stealth in evading detection. With this constant threat evolution, what features should IT staff be looking for in their security products, and how much should they be expecting to spend?
Greater spending on cybersecurity products hasn’t entailed a better organizational security posture. Despite the millions of dollars spent by organizations year after year, the average cost of a cyberattack jumped by 50% between 2018 and 2019, hitting $4.6 million per incident. The percentage of cyberattacks that cost $10 million or more nearly doubled to 13% over the same period.
Enterprises are using a diverse array of endpoint agents, including decryption, AV/AM and EDR. The use of multiple security products may, in fact, weaken an organization’s security position, whereby the more agents an endpoint has, the greater the probability it will get breached. This wide deployment makes it difficult to standardize a specific test to measure security and safety without sacrificing speed. Buying more cybersecurity tools tends to plunge enterprises into a costly cycle of spending more time and resources on security solutions without experiencing any parallel increase in security.
However, in a mad chicken-and-egg pursuit, this trend of spending more on security products persists due to the rising costs of a security breach. It’s no wonder, then, that global spending on cybersecurity is forecasted by Gartner to exceed $124 billion this year.
Deloitte’s “2019 future of cyber” survey shares some useful findings on how enterprise-level organizations are spending their time and money on cybersecurity.
The security executives surveyed said three areas get a substantial portion of their time: cyber monitoring and operations, cybersecurity governance, and cyber resilience. Each of these cyber domains gets 12% or 13% of their time, compared to the 7% to 8% of other domains.
The responses asking them to identify their organizations’ most challenging aspects of cybersecurity management were also clustered together. The most popular response, at 16%, was data management complexities, and the least popular response, at 12%, was inadequate governance.
These results indicate that CISOs are investing time and resources into security efforts that are cost-intensive, and it creates a vicious cycle that accelerates and perpetuates itself, as the more expensive point solutions demand more of a CISO’s time and focus. These results indicate the need for solutions that are more autonomous and solve security problems at the root cause.
When researching cybersecurity solutions, here are some cost-efficiency strategies that can be implemented:
• Focus on prevention. Select a solution that stops a cyberattack before execution. A detection-and-response approach costs far more than prevention. Prevention of data breaches or other attacks reduces an organization’s financial exposure from all perspectives, paying remediation costs to productivity loss and liability costs.
• Look at the metrics.A cybersecurity vendor should be able to provide metrics that demonstrate its solution achieves high detection rates with low false-positive rates. A high rate of false positives increases labor costs to analyze and assess false alerts and validate programs for inclusion on a whitelist.
• Reduce and minimize security layers. In light of the fact that more agents on an endpoint don’t minimize the likelihood of a breach, try to resist the temptation to implement the many niched products available on the market. A more effective option is to select one platform that provides cover for all devices and operating systems present in an enterprise’s ecosystem while also providing the widest possible coverage for the various threat types that are prevalent in your industry.
• Greater automation. There are many sophisticated security tools out there that may provide you with a wealth of data and security information but do very little to actually identify and clean up attacks that have successfully penetrated your organization. This magnifies the risks of alert fatigue in an industry that is already suffering from a cyber skills shortage. Automating more cybersecurity tasks to detect and prevent threats reduces both dependences on human expertise and the risk of human error.
When CISOs are considering different solutions, each vendor should be able to give them a one-page product sheet that easily defines a broad scope of a solution’s quantifiable benefits: the range of environments it provides coverage for, the operating systems it can be applied to and what processes it can automate. The one-pager should also make clear whether the solution takes more of a predict-and-prevent posture or that of detection and response.
The goal should be to find a single agile solution that can check the box on all these strategies, which combine to increase both cost efficiency and enterprise security.
Article originally published in Guy Caspi’s Forbes Technology Council Profile