More to better: security optimisation is the key to a broken industry

Cybersecurity is sometimes described as an arms race, as malicious actors find new and faster ways to attack, while security teams strive to mount a more effective defence. But for many CISOs and heads of security, it can feel more like they’re being asked to jump on a hamster wheel designed by Kafka. The security industry is constantly pushing for them to implement more technology — especially whatever vendors and partners have deemed is the latest “must have” — along with more people to implement, manage and operate it. It’s certainly good for the industry’s bottom line: according to Gartner, spending on security and risk management worldwide is expected to exceed $150 billion in 2021, up by more than 12% on the previous year.

Yet, despite all this focus and more spending on security controls, companies are experiencing more breaches and more damage than ever before. Something is clearly not working, because:

• Security breaches were up by 11% between 2018 and 2019 — and have grown a massive 67% since 2014 (source: Accenture)
• Ransomware attacks are on the rise, with UK businesses reporting that the proportion of cyber incidents attributed to ransomware doubled in the first half of 2021 compared with the first half of 2020 (source: KnowBe4)
• In 82% of cases, security controls were in place but failed (source: Verizon)
• 85% of breaches involved a human element (source: Verizon)
• 60% of incidents could have been blocked if patches had been applied (source: Ponemon)

So just what is going wrong with the current “more, more, more” approach?

1. Controls are failing — routinely and silently

Security teams have traditionally measured the success of their controls by tracking how many attacks they’ve detected or blocked. But the real measure of “success” for a security control is not how many times it stops an attack but how many times it fails. One reason we’re seeing an increase in security breaches is because the security controls we’ve put in place are failing routinely and, all too often, silently, so no one notices until after a breach has occurred.

A recent report by Debate Security argues this is happening in part because there’s a problem with the “efficacy” of the cybertechnologies we’re implementing. All too often, tools don’t actually do what they’re supposed to, do it badly, or need to be set up, operated and maintained perfectly to be fully effective — but don’t make it easy for security teams to get it right. Security teams don’t have the time or money to evaluate new systems in-depth and may rely too heavily on vendors for advice. While vendors are probably not deliberately trying to mislead customers, they’re more likely to take a rosy view of their own solutions and over-estimate what they can deliver

It’s also happening because testing of existing controls isn’t adequate. The only way to check if a control really is working properly is to “light it up” or trigger it in the same way an attacker would. But traditional penetration testing services can only ever provide a series of snapshots of what’s happening at a particular time, while they’re sometimes limited in scope, focusing on a few common issues, without the persistence and ingenuity of a real attacker. There simply aren’t enough people or resources to test every control continuously and comprehensively using traditional methods.

2. Security teams keep having to fix the same issues — again and again

Security teams are busier than ever as the number of incidents grows but either don’t have the budget to hire more staff or can’t find suitable candidates. Security vendors have responded with ever more sophisticated protection, detection and incident management tools to fill each gap. Yet many security teams waste a lot of their time dealing with the same issues, over and over, because nobody is taking the time to fix the underlying cause.

That’s often because the root cause sits outside the security team’s sphere of control. It might be the result of poor security hygiene in the internal IT team tasked with IT operations who don’t have effective processes for ensuring patches are applied swiftly. It might flow from the way the devops team is using and securing APIs when building line-of-business apps. Or it could be caused by a poor security culture among end users that means they’re not spotting phishing scams. It’s a vicious circle of the security team being too busy firefighting immediate issues to have the time to build better relationships with stakeholders in order to allow upstream issues to be addressed before they have an impact.

Tools that use automation and artificial intelligence to take the grunt work out of responding to incidents and free analysts for more proactive threat hunting undoubtedly have a role to play in helping businesses become more secure. But applying them over flawed processes that generate unnecessary alerts means security teams are pushed to spend more on technology and it inflates the “benefits” that can be claimed by vendors — while failing to optimise how the available resources are being used.

3. Stakeholders and the security team aren’t on the same page

Not having the power to fix the root causes of security issues isn’t the only way that a lack of engagement between stakeholders and the security team can undermine security operations. You can have great technical solutions, a skilled security team and excellent security policies in place, but you’re still going to struggle if business users — from the boardroom to the front line — don’t understand the risks as well as the benefits of their business decisions and actions. That can range from the business not considering the increased attack surface created by deploying new technologies to support digital transformation or inadequate security testing before taking into production to the many ways that users who don’t have a cyber-savvy mindset can put business operations at risk by actions as small as unthinkingly clicking on a suspicious link in an e-mail or opening an attachment from an unknown sender.

Equally, security teams sometimes don’t take the time to really understand what the organisation is trying to do and how security measures need to fit around and support business workflows. After all, it’s a comedy trope that “Security” only exists to get in the way of people doing their job. Increasing the size of the security team — with in-house hires or external contractors — or buying and implementing new security solutions or spending more time and money developing more detailed policies won’t make the organisation more secure if security measures are so onerous for the business that users are finding ways to disable or bypass them. Yet vendors are still trying to convince security teams that more tools or services will bridge the gap.

4. (Limited) resources aren’t being targeted correctly

There’s another consequence when the security team and the business don’t engage fully with each other. Every business faces its own specific — and constantly changing — combination of threats and risks, governed by its technical, operational, regulatory and cultural environment. Yet too many companies don’t spend enough time, on a regular basis, considering how they’re most likely to be attacked, which of their systems, data and activities are the most critical and sensitive, how current processes and practices in every area of their operations affect their exposure, and how effectively their current mix of people, process and technology addresses those threats and risks. Without that visibility and feedback, security teams aren’t always focusing the limited resources available to them on the areas that really matter. Nor are they able to easily evaluate whether the tools that vendors are pushing at them will meet the particular needs of their business or deliver the promised benefits. Piecemeal investment in security solutions can also lead to not just gaps in defences but also duplication, so resources are wasted on running two systems that handle the same issue.

5. Traditional security processes don’t scale

We’ve already mentioned that there aren’t enough people to carry out rigorous, continuous testing of controls using traditional approaches and tools. The same applies to many other areas of cybersecurity. It’s time-consuming for analysts working with separate security solutions for each kind of infrastructure to manually review and respond to alerts and all too easy for “alert fatigue” to set in, so that threats are missed. It’s also easy to miss that events in different systems are related. There’s often no time for proactive threat hunting or for keeping abreast of new threats to understand their likely impact on the business and identify what changes need to be made. And all of this will only get worse as increasing levels of digital transformation expand the attack surface, as new threats emerge and as attacks increase, in part thanks to the growth in massively scalable automated tools that can be used by relatively unskilled malicious actors. Yet the industry is only too happy to sell customers more licences or services rather than help them create scalable processes complemented by scalable tools.

Not “more” but “better

It’s clear that the current approach to cybersecurity is broken. Throwing more technology, more people and more budget at the problem is not working. Organisations are continuing to be breached, often in ways that could be prevented with relatively simple changes to the existing technology and processes or how people think about cyber security. Vendors, regardless of how well-meaning they are, are focused on their own niches and are mostly motivated by selling ever more solutions and more services. Too much of the industry has become focused on simply growing their own revenues rather than providing high-value solutions that shift the cost and resource base for customers. The elephant in the room is that true optimisation is not necessarily in the interest of every player in the industry.

CISOs are becoming increasing aware of this asymmetrical relationship — and the security industry needs to take heed — by facilitating a different approach, one that focuses on optimising resources for customers so they can scale operations in the escalating fight against cyber criminals. We need to stop doing “more” and start doing “better”.

Here at Bright Cyber, our focus is on helping organisations like yours to optimise their security operations and move from doing “more” to doing “better”. In our next blog post, we’ll look at some of the steps you can take to make that happen. But if you’d like to find out more right now about how we do it and what we could do for your cyber security team, get in touch with us for an initial consultation Contact Us – Bright Cyber.

Share:

More Posts

Send Us A Message

HOW CAN WE HELP YOU

Please provide your details and a brief description of what you need. We’ll be in contact within 4 hours.

To speak to us now, call:

0345 257 0071

Under Attack? Please call us or click here for free, professional, and immediate Incident Response.

Registered address: 88 Crawford Street, London, England, W1H 2EJ