Over the past two decades, the cybersecurity industry has been completely transformed. What was once seen as a somewhat niche field is now expected to reach a market valuation of $120 billion by the end of the year (according to research from Cybersecurity Ventures). And, that growth expected to further accelerate in the near future.
For organizations, cybersecurity’s evolution from a cottage industry to an economic behemoth has had huge implications on the procurement process. The influx of vendors offering various point solutions has complicated the purchasing process to the point where developing a coherent InfoSec strategy has become a Herculean task. Crunchbase lists nearly 3,000 security vendors in its ever-increasing database. In the midst of this complexity, is there any hope for the humble CISO trying to find balance amongst the chaos?
In order to answer this question, it’s important to take a broader look at a company’s security portfolio and examine some of the drivers behind their purchasing decisions. When it comes to evaluating a security portfolio, or determining what technologies need to be invested in, however, there is no standard methodology. Perhaps more importantly there is no agreed upon baseline to determine what constitutes effective security. The questions to answer first, then, becomes: ‘what exactly does good security look like?’ and ‘how can security teams determine whether or not their defenses are adequate’?
Assessing smart cybersecurity spending
There are various models that enterprises can use to assess the effects of their cybersecurity spending. Some of the usual approaches include:
- Benchmarking – Basing your investments on those of your peers.
- Compliance-driven – Investing in the technologies to adhere to industry-specific regulations.
- Metric-driven – Spending based on your IT departments key performance indicators (KPIs).
- Evidence-driven – Investing in solutions that resolve the issues you are regularly seeing in your environment.
Other informal methods, which are often seen in companies that have lower security maturity, include spending the minimum needed until the next security incident, or, conversely, spending freely, but not necessarily smartly, until the budget has been exhausted.
Former Forrester analyst Rick Holland coined the phrase “expense in depth” to describe the tendency of companies to spend on the latest and greatest technologies meant to complement existing security controls to try and achieve the largely unattainable goal of “defense in depth.” However, without an overall strategy in place, this approach often leads companies to overspend in some areas and underspend in others.
What can you do?
Back in 2013, 451 Research director Wendy Nather published research in which she interviewed dozens of CISOs and asked: “I’m a new CISO. It’s my first day on the job in an organization that has never done security before. What should I buy?”
The surprising result was that even the experts didn’t agree on the basics. Some mentioned as few as four different technologies while others recommended as many as thirty-one. Nearly everyone caveated their answers with “it depends.” Interestingly, the minimum baseline commonly matched up to PCI requirements, and included both firewalls and anti-virus.
The takeaway from both Nather’s and Holland’s research on the topic is that there is no consensus about what constitutes smart cybersecurity spending without defined goals and objectives. Before purchasing new tools, it’s essential that companies first identify the painpoints they are trying to alleviate, and determine which problems (if any) their current solutions are already able to address. If you find that your current portfolio is unable to meet all, or most, of your needs, this is an obvious sign that your security budget was probably not used wisely in the past.
Because of changing priorities, increased workloads, and legacy systems, enterprises are often poor at removing security products that are no longer needed. Many times, blinded by the promise of shiny new products, organizations quickly rush through the procurement process only to discover that some, or all, of the ‘new’ capabilities they’ve added were actually already available within the existing toolset. Rather than buying another tool to add to the mix, it’s better to trim and streamline the existing portfolio first. This not only improves performance, but results in better integration and communication, and ultimately reduces costs.
What should buyers look for?
For this reason, buyers should look for comprehensive security platforms that have a multitude of features. If their various capabilities are designed to work together, such solutions can often deliver a better return on investment than individual point products. While there may be no right or wrong when it comes to security product investment strategy, all companies should identify the risks that most impact their core business, then look for evidence that the solutions they are planning to deploy are likely to address those risks.
As the industry continues to grow, the methods that organizations use to account for and address redundancies in their systems will ultimately determine who succeeds, and who has their budget bled dry by unnecessary point solutions. For that reason, I urge you to drop the hoarder mentality, trim the fat in your IT department, and strive for unification above all else.