The Cybersecurity Paradox
The cybersecurity industry is nothing if not crowded. If you ever attended a security event, like RSA “crowded” is an understatement, both figuratively and literally. There are hundreds of vendors and many more attendees, all hoping to find that missing piece to their security stack puzzle. Yet more often than not, attendees are likely to leave a conference awash with brochures all promising to deliver very similar, if not the same, benefits.
However, this hyperbole contrast greatly with the sober reality that increased spending trends have not equated to improved security. Over the past ten years or so, the budget organizations have allocated for cybersecurity strategies have tripled. This increased budget must mean cybersecurity challenges are finally solved. We can all go home now, trusting organizations are now secure. Of course, that is not the case.
Recently we partnered with the Ponemon Institute to survey IT and security professionals on their perceptions and impacts of prevention during the cybersecurity lifecycle. With over 600 participants from many different industries providing feedback, we believe the results of the survey to be representative of the security landscape. Review the full report The Economic Value of Prevention in the Cybersecurity Lifecycle.
Survey respondents have found that delivering a continuous and consistent level of prevention is difficult, with 80% rating prevention as the most difficult to achieve in the cybersecurity lifecycle. So, it is no surprise that almost 80% of budget funds non-prevention priorities (containment, detection, remediation, and recovery). Here is where things get frustrating and confusing. 70% of respondents believe the ability to prevent would strengthen their security posture. When asked how much preventing attacks could drive down costs, respondents estimated savings between $396,675 and $1,366,365 (for ransomware and nation-state attacks respectively). Couple this information with the fact that 40% of the respondent feel their security programs are underfunded, and you find yourself scratching your head. Why are organizations spending their scarce budget in ways that seem contrary to their interests?
I am a big fan of examples, so let us use one here to crystallize the situation.
You are a CISO for a company with 1,500 employees and 2,000 endpoints, servers, mobile devices, etc. spread across several geographies. You have a $10 million budget for security; $6 million of that budget is spent on a security stack of products focused on reacting to an active threat and $2 million is spent on an AV “prevention” solution that you know is not very effective.
Let’s say, for argument sake, that you have three significant security incidents a year. Not hair on fire incidents, but incidents that require calling in outside help to return to a normal state. These three incidents (two phishing, one ransomware) set you back roughly $2 million in containment and remediation costs. By its end, you’ve essentially used your entire budget and improved your cybersecurity posture by 0%.
You know that if you were able to prevent these security incidents from happening, let’s even be conservative here and say you prevent two of the three incidents (one phishing, one ransomware) you could avoid spending $1.5 million yearly. Your “effective” security budget would keep its value and not drop to $8.5 million, and you could argue your cybersecurity posture has improved by 66% (with two of the three security incidents being non-events).
If the definition of insanity is doing the same thing over again and expecting a different result, this current pattern begs critical evaluation. I propose two reasons why the results of this survey indicate a dysfunctional relationship between budget allocation and resulting security posture.
The failed expectation of machine learning prevention tools
The understanding of attackers of how to circumvent even advanced machine learning prevention tools has developed and proven successful. While many of these solutions do a relatively better job at preventing successful attacks compared to legacy AV solutions, the illusion of near-complete prevention never materialized, especially in regards to zero-day, or unknown, threats. As a result, budgets are back into the detection and response mode. In fact, respondents report they are more confident in their ability to contain an active breach (55%) over other tasks along the cybersecurity lifecycle.
Plan B: Speeding-up detection and response
Perceiving continuous prevention as a “fool’s errand,” organizations are taking a “cause least harm” approach to secure their organization. This involves a focus on technologies aimed at shrinking attacker dwell time to limit the impact of the inevitable attack. This approach makes perfect sense, considering the constant refrain across the security vendor landscape that “it’s not if, but when” an attack will succeed. If an attack is inevitable, it would be irresponsible for security departments to prioritize investment in any other way. To that end, an overwhelming percent of respondents (76%) are no longer even considering improving their prevention efforts given the perceived inherent fallibility.
The joint research with Ponemon could be considered a gloomy picture of security and IT professionals tasked with the enormous responsibility of keeping their organizations secure with a limited budget, facing unlimited threats. They work with security vendors who repeatedly fail to deliver on expectations, while a continuous stream of new vendors make the same promises they have heard for years.
So, why take another look at prevention? Prevention has evovled in the last few years with deep learning technology enabling an advanced predicitive analysis of threats that has to date achieved unparallel accuracy and speed. Unlike machine learning, that requires a human expert to effectively guide the machine through the learning process by extracting features that need to be learnt, deep learning skips the human process to analyze all of the available raw data. This results in the ability to prevent new first seen attacks, like zero-days, and achieve a better detection rate against a broader range of attack vectors. The predictive capabilities of the deep learning ai algorithm are also platform agnostic and can be applied across most OS and environments.
Over the past decade or so, total spending on cybersecurity has more than tripled with some forecasting overall spending to eclipse $1 trillion in the next few years. 50% of respondents say their organization makes budgetary decisions that deliver limited to no improvement to their overall security posture. Furthermore, the licensing on expensive but ineffective technology can lock in portions of future budget dollars, inhibiting the security team’s ability to take advantage of better security solutions as they enter the market. Sadly, unless something changes radically, I’d suspect a similar survey completed in 2024 or 2025 may show the same kind of results we see today.
It’s time for wide-scale change that addresses the root of the problem, I propose a sea change that begins earlier in the cybersecurity lifecycle – prevention.
Preventing more attacks from succeeding will have a knock-on effect across your entire security investment. More time will be available for security analysts to think strategically, making better use of the security tools at their disposal. Management can also benefit from better prevention over time, analyzing the value of their entire security investment, optimizing both technology and resource allocations, with a focus on process improvements rather than constant repair and recovery.
The good news for security professionals is that there are advanced prevention technologies in the market today that provide real value. Security professionals need to demand more from their security vendors when it comes to prevention, and if they are not able to improve prevention, then look for someone who can.
Prevention is by no means a cure-all for everything security. However, with a constantly evolving threat landscape and ever-changing business priorities, rethinking prevention can make everyone involved more effective.
Deep Instinct and the Ponemon Institute will be hosting a joint webinar discussing these and other key findings on April 30th at 1pm EST. Click here for more information and to register.