Manage cybersecurity risk by restoring defense-in-depth’s promise
Cybersecurity spending continues to soar, as the current, $75.4 billion worldwide market will increase to $101 billion by 2018, according to projections from Gartner. But how effectively are organizations investing in these tools? Not very, as 28 percent of the spending pays for security products which are either underutilized or not used at all, according to survey findings from Osterman Research.
The investment doesn’t inspire much confidence among IT teams about the protected state of their networks either: Only 31% of security professionals say they are “comfortable” with their ability to detect and respond to incidents, according to ISACA research.
So what are they doing wrong? A great deal of this risk-management problem is directly tied to a growing disconnect between the tangible security products, teams and policies companies deploy – their comforting “defense-in-depth” layers – and what the true effectiveness of these layers actually are at any given time. The stakes of this disconnect are striking – particularly when you consider the nature of today’s cyber threats introducing new ramifications for security operations centers (SOCs) and risk managers.
The point here is not that layered security is a flawed approach, but rather that you need to understand those human, procedure and technology layers in context like never before. A generation ago, stacking an array of security products between the Internet and PCs blocked a lot of the nuisance and simplistic break-ins of that era. But today there are phishing attacks using malicious code that employees, themselves, detonate, and threats like ransomware that wreak irrevocable damage, quickly spreading from one machine to the next.
The frequency and variety of attacks is simply too great to conclusively defeat with the concept of layers, alone. Risk managers and their IT security colleagues need assurances that come from understanding the current effectiveness of their existing security layers now and into the future.
The skyrocketing direct and indirect costs of data breaches make the business case for measuring whether you have security technologies, response plans and staff deployed, tuned and coordinating correctly, because this effort is far cheaper than the alternative: Paying for customers’ credit monitoring services, losing intellectual property or suffering brand damage. More than 169 million records were exposed last year, according to the Identity Theft Resource Center (ITRC). The cost of every single stolen record amounts to $154 on average, according to research from IBM and the Ponemon Institute.
Determining security posture
So what is the best approach to understanding the effectiveness of those layers and determining your true security posture? Think of achieving “instrumented security,” where gathering precise data on how security products and staff actually perform in the line of fire replaces assumptions of defense and risk that otherwise influence decision-making. Through instrumented security, your IT teams can precisely determine – in real-time– the combined effectiveness of all accumulated controls and layers of protection.
They match incident readiness against specific attack activity that’s going on – right now. With this, they gain absolute awareness of their true security posture, tuning existing defense-in-depth security investments to maximize their value and identifying only those specific, new capabilities that might be necessary to match a company’s risk tolerance – which helps prevent over-spending and undue complexity.
Instrumented security raises risk-management efforts to a higher, holistic level, one in which prevention, detection and response can be measurably matured to generate empirical proof of readiness. As the saying goes, “If you cannot measure it, you cannot improve it.” An instrumented security posture that tests security tools and teams against mock threats of all varieties has almost unprecedented potential to put IT staff, risk managers and C-Level leaders all on the same page because data can simultaneously inform and empower these stakeholders to collaborate on inherently interrelated decision-making.
Informed discussion can finally tackle pressing questions like “Does our security spending match our protection value? Are we prepared to adequately defend expanding cloud, mobile or other initiatives business leaders are demanding? How are we reporting the measurement and maturation of security for the Board or investors?”
Getting to instrumented security is a process. To begin with, IT and business leaders need to gather and methodically break-down which risks are most consequential for the organization and map out the inventory of existing security processes and controls arrayed to address these scenarios. Take care not to not overlook important items – tangible investments like firewalls and filters are important, but so are incident response plans and security staffers assigned roles or workflows.
Often, the enumeration of these complementary security products and steps, itself, passes for a comprehensive protection strategy, but these things only have value if you can continuously monitor them over time. This is the only way to discover whether security gaps are caused by products that are blind to certain types of attacks, for example, or whether a re-vamped response process could help time-strapped administrators confirm the severity of a potential incident in half the time.
Monitoring security layers
Continuously monitoring security layers in-depth also reveals where organizations’ constant changes, such as staff turnover in SOCs or technology changes within or outside of security teams’ control are quietly upending existing security defenses. There will be times where this approach reveals where small incremental fixes are possible – and other cases where more urgent and involved discussions are necessary to correct severe weaknesses.
Cybersecurity is a complex, challenging arena – about as fluid as the competitive pressures and changes placed upon every modern business. The complexity is arguably compounded for companies top, trusted risk managers and advisors because these professionals must connect the dots between ephemeral cyber threats and what could lead to dire breach scenarios where severe or existential consequences can arise.
Fortunately, new data sources can become the collaborative fuel that empowers security and risk specialists to work even better, together. Instruments make better guideposts than instincts, and instrumented security is a promising way forward to regain confidence in defense-in-depth fortifications guarding every business.