When it comes to cybersecurity, you can’t rely on brand promises. Many people associate the cost of a product or service with the benefit it brings—i.e. “assumed efficacy” or added security value to the stack.
While this may hold true in some instances, in many cases, the products and services you pay a premium for don’t perform as promised. When one misstep can lead to a corporate catastrophe, every component of your cybersecurity infrastructure needs to deliver measurable value.
With cyberattacks increasing in innovation, scale and frequency, the 80 percent of all enterprises that don’t fall within the Fortune 500 or Global 1000 (and even they would be wise to heed this approach) must build a security ecosystem that focuses first on extremely high prevention efficacy. At the same time, security professionals must always keep in mind simplicity and costs.
So how do CISOs best evaluate and measure the prevention efficacy of their cyber defenses? A good place to start is with what I’ve coined as the T.E.S.T. performance indicators: Time, Efficacy, Simplicity and Total Cost of Ownership (of stack).
Time (of Prevention)
The sooner you prevent a cyberattack the better off you’ll be. Unfortunately, the average dwell time—the amount of time an attacker spends in an environment before being detected—is 201 days. What’s worse is that on top of those 201 days, it will take an additional 52 days to contain the threat.
Ideally, the best prevention happens before an attack even happens. Attackers move fast, and once they’re in, they’ll compromise other machines on the network in less than two hours. Attacks must be stopped in milliseconds of them initiating any memory step in their devised kill chain to prevent the most impactful damage.
Time is not just important in preventing data, employee and/or system exploitation—the longer an attacker dwells in your network, the bigger the drain on your pockets. According to IBM Security’s and Ponemon Institute’s “2018 Cost of a Data Breach Study: Global Overview,” the average cost of a data breach in the United States is $7.91 million per breach. How can the cost be so high? It’s the time it took to detect and contain the breach, any legal fees, reputation losses, the cost of customers lost, regular communication with stakeholders and much more.
Efficacy (of Prevention)
When we think about efficacy indicators in cybersecurity, it’s been a notoriously difficult thing to test and measure. And controversies over the issue—even lawsuits—abound. It’s not as simple as how many millions of malware variants are detected by a vendor (most score 95 percent and up).
The only 100 percent assured threat prevention is destroying “the bridges” along the route which the cyberattack “army” will pass, rather than systematically targeting and destroying each combatant in that army.
There are known vectors for known types of malware—these can be well-protected by perimeter defense (firewalls), access management and antivirus. But there’s also the rapidly growing world of unknown attacks that evade detection by leveraging memory resources. More than 75 percent of breaches are caused by attacks that use fileless, in-memory techniques.
Every component of a cybersecurity stack should be fit for purpose by addressing efficacy across network, access, memory and malware. This type of approach is especially effective given the growing need to connect cybersecurity efficacy to overall business efficacy.
Rather than simply implementing cybersecurity solutions to ensure compliance, CISOs today must fight a growing disconnect between their role and the rest of the C-Suite to measure cybersecurity efficacy based on overall business impact.
Simplicity (of Operations)
In the above sense of “fit for purpose,” many cybersecurity solutions are unnecessarily complex. Oftentimes this complexity has grown out of the necessity for vendors to add incremental protection features to remain competitive and retain market share.
Detection-based security products—whether using AI, ML or DL technologies—focus on post-breach, knowledge-based analysis to detect and then stop certain types of malware. The result? Solutions that take too long to implement and configure require too many resources to operate properly, create business and user disruptions and generate a profusion of telemetry. This approach also leaves huge residual risk in the protection of the unknown for the CISO and the usually very lean security team, yet, it must be covered by other means.
The issue of unhelpful telemetry can be extremely costly. The “Cost of Insecure Endpoints” study found enterprises waste an average of 425 hours a week responding to and investigating false positives, costing them an average of $1.37 million annually.
Adding, simple and proactive “set and forget” defense layers can often be a better alternative. Easy to use cybersecurity solutions are often the best way for enterprises to reduce threats, downtime and staff allocation.
Total Cost of (Prevention Stack)
Saying “cybersecurity has no ROI” is a misnomer. Security ROI can be defined in terms of ownership costs commensurate with the residual risk a corporation is willing to endure, which includes not just the technology cost but the hidden costs of manpower, CPU load and business disruption.
This must be measured against the incremental risk reduction or the “security value” of the proposed layer. And it’s those hidden costs—managing alerts (most of them false positives), assessing telemetry, taking remediation steps—that drive up the total cost of ownership (TCO), to the tune of $16.3 million per year for the average enterprise, according to a recent report by research firm Vanson Bourne.
Utilizing the suggested T.E.S.T. security KPIs will help keep businesses safe and advanced cyberattacks at bay. It should also help corporations strategically reassess their posture toward the value of true prevention. Each layer added, individually, is but a single line of failure; it shows you part of the picture.
With this year promising to bring a whole new crop of cyberthreats, wiser, nimbler and leaner customers will start looking for cybersecurity stacks that optimize across these four KPIs.