Originally posted on Security Boulevard on September 17, 2019

Remaining competitive means staying abreast of—and even ahead of—the latest technologies that empower business. As the network expands and creates new and greater vulnerabilities, organizations know they need to enhance their security posture. But the landscape has become so complex that it’s increasingly difficult to know which security solutions are necessary and appropriate. And that means many organizations end up buying technology that isn’t a good fit, wasting money and time but not improving their security. However, there are ways to determine which solutions or services are appropriate and will help keep the network safe.

A Digital Arms Escalation

A primary factor in this solution confusion is that vendors don’t always show all their cards. There’s a lack of transparency in the industry—and a lack of understanding about how many people, assets and resources a company really needs to realize a return on investment from many of today’s security technologies. Understaffed IT and security teams create more security risk than most companies realize.

Companies buy security technology and often fail to understand what it truly takes to effectively implement and operate that technology. This is the total cost of ownership (TCO), and for many security technologies, the TCO is higher than customers initially understand.

At the same time, cybercrime continues to grow in volume, variety and sophistication.

Hackers are increasingly well-funded and well-educated, and know all too well how to buy and sell the spoils of cybercrime on the black market. This leads to increasingly sophisticated threats from increasingly sophisticated threat actors.

The amount of budget an organization allocates to IT security does not automatically correlate with how successful they are at security, according to Gartner. A company may be spending the same amount as its peer group but may have different goals (e.g. regulatory compliance versus increased security) or have a different risk profile or risk tolerance. Gartner has found that security spending typically ranges from 1% to 13% of an organization’s total IT budget.

There are also so many security solutions to choose from that it can be difficult to select the right technology for your security strategy. In fact, studies have found that companies are using as many as 70 different security vendors and products as they struggle to determine how to achieve the healthy balance between security and functionality. But despite all of these tools being used, there are still gaps.

Poor Purchasing Decisions

A problem all too common these days is shelfware—owning or licensing software that you don’t actually need or use. A study by Osterman Research found that 30% of businesses buying new security tools often end up under-using those technologies or stop using them altogether.

This can happen when an organization focuses on compliance over actual security and risk mitigation. Other times, it’s the result of failing to understand the true cost of implementing and using the technology they purchased. Another reason, as Osterman and Gartner research have shown, is the chronic shortage of skilled security personnel required to manage and operate this technology.

In short, some of these tools go unused because they ultimately were not suitable for the organization or lacked the personnel to make use of it. Companies must look deeper into what they need and what that will require.

Doing the Security Math

The first step in creating a strategy that avoids the digital arms escalation is to truly understand the TCO of the technology you are assessing. Security solutions often get purchased based on features and capabilities, but that ignores the matter of staffing and training. Many of the options out there require more full-time employees dedicated to using them, which can drive up costs quickly—and that’s if you can find the employees with the right skill sets.

One in every three Security Operations Center (SOC) jobs is vacant, according to CyberSeek. Turnover is often a key reason for these vacancies. Retaining them often can be harder than hiring them initially. A talent gap is a seller’s market—skilled workers can command high salaries in this environment. Organizations need to include additional salaries into their cost analysis for a security solution.

It takes the right mix of people, intelligence and tools to build your own SOC. Ideally, it is an integrated solution that can withstand the test of time and scale quickly. Many that have tried will agree this is easier said than done. Chief information security officers (CISOs) across industries frequently bemoan the lack of time and budget needed to find the right candidates. Recruitment becomes their full-time job in some cases, and that can mean their real job—ensuring their organization’s security—falls by the wayside.

As well as hiring those hard-to-find personnel, here are the advanced security tools you would need to start building your own SOC today:

  • A SIEM platform
  • Next-generation IDS/IPS
  • Threat intelligence subscriptions
  • Vulnerability scanners
  • Forensic tools
  • Endpoint forensics and detection

To staff a facility on a 24/7 basis requires a minimum of 10 to 12 people. Employees get sick, take holidays and sometimes resign unexpectedly, and to ensure you always have round-the-clock coverage, you need a lot of people.

Help on the Horizon

However, just because you don’t have the full-time, dedicated staff needed for one solution doesn’t mean you’re out of luck. There are MSPs and other security solutions that can provide the tools you need while also supplying  skilled individuals. Many MSPs have strong partnerships with SOCs, for instance. That’s far more affordable for many organizations than trying to establish a whole SOC themselves.

Many times, organizations go into a security buying decision with a “set it and forget it” approach. They buy a solution, check off the appropriate boxes and move on. Companies that fall into this trap will forever be racing to catch up as new threats arise and new solutions abound. And no matter how many tools you’re using, be it 10 or 70, none of it matters if detection and response isn’t a key element.

Today’s security solutions have a big job to do, and this often requires a bigger budget than initially assumed. It sometimes requires hiring more people with hard-to-find skills. Crunch the numbers to see if this solution will work for you or if it makes more sense to outsource. You don’t have to start from scratch if that isn’t the best approach for your organization.

chrisb
Chris Braden
Vice President, Global Channels and Alliances

See the latest blog posts

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.