Originally posted in Channel Futures on July 17, 2019
As more applications move to the cloud, and as more information is digitized and other technology strategies (BYOD, IoT) are employed, today’s corporations have increasingly become unwitting participants in a security arms race, one for which they’re poorly equipped to participate.
Most every company has to follow this path of digitization to evolve and to stay competitive. However, this transformation of the IT landscape also opens up more and newer cyberattack vectors and creates new and greater vulnerabilities.
Corporations know they need security solutions to keep up with the increasing complexity and sophistication of this digitized IT landscape. However, they also need more answers. The truth is that many companies don’t always know how to effectively assess security technologies as they build their security strategy. This can lead to buying technology they can’t fully implement or utilize, adding complexity and frustration to an already difficult situation. Fortunately, there are options – and your company doesn’t have to go it alone.
The Rise of the Arms Race
It isn’t just the cost of software that has led to this arms race, though that certainly is a significant part of it.
There’s a lack of transparency in the industry — and a lack of understanding about how many people, assets and resources a company really needs to realize a return-on-investment from many of today’s security technologies. Under-staffed IT and security teams create more security risk than most companies realize.
That’s due to several factors. First, many security solutions require more dedicated personnel with security skills than they advertise. Companies purchase security technology and often fail to understand what it truly takes to effectively implement and operate said technology to mitigate risk. In classic business parlance, this is the total cost of ownership (TCO), and for many security technologies, the TCO is higher than customers often realize.
Second, companies often face challenges with deciding between focusing on security or on compliance. While the two should, in theory, be harmonious and aligned, the reality is they often are not when companies lack enough budget to accomplish both objectives.
Third, the evolution of the global cybercrime economy is very real. Simply put, cybercrime is big business. Hackers are increasingly well-funded, well-educated and know all too well how to buy and sell the spoils of cybercrime on the black market. This leads to increasingly sophisticated threats from increasingly sophisticated threat actors.
As Gartner points out, IT spending statistics alone don’t measure IT effectiveness and aren’t a gauge of successful IT organizations. A company may be spending the same amount as its peer group but may have different goals (e.g., regulatory compliance versus increased security) or have a different risk profile or risk tolerance. Gartner has found that security spending typically ranges from 1 to 13% percent of an organization’s total IT budget, yet many organizations don’t have a discrete breakdown in their budget between IT and security.
Adding to all of this is that there’s an abundance of software and solutions to choose from, which can make it difficult to select the right technology for your security strategy. In fact, studies have found that companies are using as many as 70 different security vendors and products as they struggle to determine how to achieve the healthy balance between security and functionality. But despite all of these tools being used, there are still gaps.
Shelfware Mentality Isn’t Working
Shelfware, a colloquial term for owning or licensing software that you don’t actually need or use, is a common problem when it comes to enterprise software. A study by Osterman Research found that 30% of businesses that invested in new security controls often ended up under-using those technologies or stopped using them altogether.
Organizations fall into this trap for a number of reasons. Sometimes, it’s the result of focusing on compliance over actual security and risk mitigation. Other times, it’s the result of failing to understand the true cost of implementing and utilizing the technology they purchased. Yet another reason, as Osterman and Gartner research has shown, is the chronic shortage of skilled security personnel required to manage and operate this technology. In short, some of these tools go unused because they ultimately weren’t suitable for the organization or lacked the personnel to make use of it. Companies must look deeper into what they need and what that requires.
The Real Price of Security
To help your organization escape the proverbial arms race and evolve securely, companies must truly understand the TCO of the technology they’re assessing. Security solutions often get sold based on features and capabilities, but that ignores the matter of staffing and employees. Many of the options available require more full-time employees dedicated to using them, which can quickly drive up costs – and that’s if you can find the employees with the right skill sets.
According to CyberSeek, an online resource from NIST, the ratio of existing cybersecurity workers to the number of cybersecurity job openings is 2-to-3. That means one in every three jobs in a security operations center (SOC) is vacant. A talent gap is a seller’s market – skilled workers can command high salaries in this environment. Organizations need to include additional salaries into their cost analysis for a security solution.
Building your own SOC requires bringing together the right tools, intelligence and people to create an integrated solution that can withstand the test of time and scale as quickly as the threat landscape changes. Many who have tried will agree that this is easier said than done. Chief information security officers (CISOs) across industries frequently bemoan the lack of time and budget needed to find the right candidates. Recruitment becomes their full-time job, in some cases, and that can mean their real job – ensuring their organization’s security – falls by the wayside.
Outside of finding, employing and retaining the talent needed, here are the advanced security additions you would need to start building your own SOC today:
- Next-gen IDS/IPS
- Threat intel subscriptions
- SIEM platform
- Endpoint forensics and detection
- Vulnerability scanners
- Forensic tools
To this list, add staff — anybody looking to develop DIY capabilities in-house must also understand that you need a minimum of 10-12 people to staff a facility on a 24/7 basis. Employees get sick, take holidays and sometimes resign unexpectedly — to ensure you always have 24/7 coverage, you need a lot of people.
Finding the Help You Need Is Possible
Part of the cost consideration mentioned above means also looking at what assistance a security solution or vendor offers you. Just because you don’t have the full-time, dedicated staff needed for one solution doesn’t mean you’re out of luck. There are MSPs and other security solutions that can provide the tools you need while also supplying the skilled individuals. Many MSPs have strong partnerships for SOCs, for instance. That’s far more affordable for many organizations than trying to establish a whole SOC themselves.
When it comes to finding a security solution, there’s too often a temptation to purchase something, check off the appropriate boxes and move on in a sort of “set it and forget it” approach. Companies that fall into this trap will forever be behind the eight ball. And no matter how many tools you’re using, be it 10 or 70, none of it matters if detection and response isn’t a key element.
Looking at the holistic costs is essential – how many people, and which skills are needed to run the solution you’re looking into? Will you be able to find the talent needed to run it? Is outsourcing more cost-effective? You don’t have to reinvent the wheel; there are options available that provide assistance along with a solution. Do an internal resources inventory to see if you have the tools and talent to create the security your organization needs. If not, vet those who offer such services to find the best fit.