Managing the security budget within any organisation can be one of the toughest jobs in the world.
According to Cybersecurity Ventures, global spending on cybersecurity is predicted to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. In fact, Gartner has forecasted that worldwide spending on information security (a subset of the cybersecurity market) for 2019 is expected to grow to $124 billion, and $170.4 billion in 2022. This figure is huge, but how much of it is being spent unnecessarily?
It seems communicating the needs of IT security to the C-suite is one of the most disliked tasks for security professionals according to a recent survey conducted by edgescan. Although despite the community’s hatred of convincing the C-Suite of its importance, it appears the hard-earned budget allocated for cybersecurity spending might be wasted.
In fact, 39 per cent of respondents admitted their organisation purchased a security solution that ended up in a cupboard, never used. 18 per cent of those said that unused solutions cost their organisation as much as £20,000 or more.
These numbers are shockingly high, but fortunately there is a checklist that business can go through to ensure that they are making a wise decision, one that will truly add value to their cybersecurity strategy.
1 – Know your business
Before any decision can be made about which cybersecurity tools or solutions to purchase, organisations need to make sure they have a clear picture of what they need to protect.
A thorough risk assessment is always good starting point and way to gain perspective over what the potential threats are to your business, what it needs to prepare for, which attack vectors are the most vulnerable and where to concentrate security efforts.
This phase should also include asset profiling, as it is impossible to protect what you don’t know is there. Every single component that is connected to the network – or has the capability to do so – needs to be accounted for.
Also, take a look at possible security solutions you already have in place. These solutions may need maintaining or may need updating to help you in your drive to increase security, but also, they may need decommissioning if they’ve simply gone under the radar and are not being used.
2 - Know your people
It is essential for organisations to be realistic in terms of what they can ask from their cybersecurity team. It is no secret the skills gap in the IT security sector makes it hard for any organisation to find and retain the right talent. This task is even harder for SMEs and smaller inhouse teams, as larger organisations can often offer more benefits and career prospects, and headhunt security professionals promising attractive bonuses and perks.
Effective security solutions need to be chosen on the basis of the available manpower that has the skill – and the time – to operate them. Purchasing an expensive automation tool, for instance, may seem like an effective way to reduce the workload of security professionals, but if that generates a huge volume of false positives, that may actually become counterproductive and time consuming.
Based on the bandwidth your business has, you may choose to outsource certain parts of your security strategy to a Managed Service Provider, effectively benefitting from a larger, often more specialised team.
3 - Know your workflow
Security should be designed into workflow operations just as much as it should be designed into technological products from the beginning. When it is bolted on at a later stage it inevitably works a little less smoothly and could create vulnerabilities. This, unfortunately, is not always possible.
There are, however, so many different variations of security solutions available that organisations can aim to find the one that best fits their processes and procedures, creating minimal disruption to employees’ workflows.
This is particularly important when choosing an Identity Access Management solution, which requires the involvement of all employees in order to be effective. If the authentication process is too lengthy, often users will find ways around it, thus creating a security compromise.
4 – Measure your success
Security strategies need to be continuously measured and assessed. Previously, a one-off penetration test was enough to provide information on the strength of the protective systems in place, but the current threat landscape is way too dynamic for that to be sufficient.
Organisations should aim to adopt tools that allow them not only to measure their response times – and whether those are consistent, improving, or worsening with time – but also continuously monitors digital assets for vulnerabilities and potential exploits.
Security teams often have a hard time proving Return on Investment (ROI), because they deal with preventing bad things from happening, rather than creating profits or drive sales.
To avoid precious security budget being wasted, the most important thing IT teams can do is know the business thoroughly and choose solutions that work with the business not hinder it. Create a plan of action for these tools and solutions to be integrated without disruption, but also be open about the practices in place and understand if they’re truly working.
Being fully aware of an organisation’s current security posture and what it has in place (or has already purchased and not used) can help massively help with budget wastage and save costs for the future.
Eoin Keary, CEO, edgescan