Cybersecurity: How to do More for Less
Around the world, companies are experiencing a financial squeeze. In the U.S., inflation rose to 8.2% in September 2022, and the Federal Reserve raised interest rates to a range of 3% – 3.25%, the highest since 2008. As organizations increasingly fear the prospect of a recession and feel the impact of rising prices, investments are being scrutinized and spending is only approved for the most crucial of reasons. In this climate, IT and cybersecurity teams need to look at how they can ensure continued business performance and reduce the risk of a breach while showing a return on investment in their security spend. With enterprise security teams now grappling with an average of 76 security tools, the answer does not simply lie in adding more point solutions. Instead, optimizing existing tools and ensuring they are deployed and working effectively helps to reduce complexity, free up resources and allow for budgets to be better allocated.
Why Less is More
It’s encouraging to see attitudes to cybersecurity spending changing, with PwC’s 2022 Global Digital Trust Insights report finding 69% of organizations predicted a rise in cybersecurity spending in 2022 compared to 55% last year. However, more spending does not equate to better security or greater alignment between security and business strategy. In fact, in their quest for more cybersecurity funding and tools, organizations are neglecting a core tenet of security. A complex system made up of countless tools introduces more data for security teams to analyze and greater potential for control failures. In turn, this increases the burden on already over-stretched security professionals struggling with a workforce gap of more than 2.72 million positions.
Instead, you want to subscribe to the idea that less is more. By striving to simplify the overall security strategy and focusing on being effective and efficient, organizations can make the most of what they already have. Resources can then be prioritized to the areas that have the biggest security impact and rapidly reduce risk.
Committing to less is more also helps combat the perception of security as an onerous cost center. IT and security teams can face difficulties in conveying the return on investment (ROI) to the board, which too often allocates the security budget in a reactive way. This approach must change.
Considering that board members respond more positively to concrete facts versus ‘ifs’ and ‘maybes’, CISOs and their teams need to demonstrate the financial benefits of proactive, prudent cybersecurity while reducing risk and improving efficiency.
How to do More for Less
In practice, doing more for less means looking inward–at your business and security strategy, at the security tools currently in use and at your company culture–and optimizing wherever possible.
1. Streamlining Cybersecurity and IT Operations
When assessing your existing security stack, several important questions need to be asked: Are you getting the most out of your tools? How are you measuring their efficiency and effectiveness? Are any tools dormant? And how much automation is being achieved?
The same should be asked of your IT stack–is there any bloat and technical debt? Across your IT and security infrastructure, there are often unnecessary layers of complexity in processes, policies and tools that can lead to waste. For example, having too many tools leads to high maintenance and configuration overheads, draining both resources and money. Similarly, technologies that combine on-premises infrastructure and third-party cloud providers require complex management and processes.
IT and cybersecurity teams, therefore, need to work together with a clear shared vision to find ways to drive efficiency without reducing security. This requires clarity over roles and responsibilities between security and IT teams for asset management and deployment of security tools. It sounds straightforward but often is not, due to historic approaches to tool rollout.
If teams can get clarity on shared priorities through greater visibility of assets and technology, it has a big impact on collaboration and productivity.
2. Prioritizing Automation
The central piece to making more for less work in practice is automation. Automating key areas such as asset management and security controls management, for example, gives CISOs and their teams a clear view into their asset inventory–critical in the age of remote working and expectations of flexibility. It also bolsters understanding of security control status and effectiveness with metrics and measurements.
One increasingly popular solution is continuous controls monitoring (CCM). By correlating data from all security and relevant business sources, CCM identifies missing assets and gaps in protection, improves collaboration and prioritization, optimizes security controls and automates remediation workflows to help organizations make the most of existing security investments.
Looking Ahead
With the commoditization of offensive cybersecurity toolsets and new business models for adversaries, the risk from cyberattacks is not going away. A majority of breaches occur because of a security control failure, which is where an organization had the tools needed to prevent or mitigate an attack but they weren’t correctly deployed. We recommend going back to basics, reviewing the controls they have in place and ensuring they’re working as intended across all assets to avoid a preventable breach.
Whether it’s a business’s technical debt and complexity, tool sprawl or siloed security culture that needs addressing, there’s always room to optimize. And with solutions like CCM, automation can help teams save money and resources while reducing their cybersecurity risk.
