How to Adapt to Tightening Security Budgets
Cybersecurity is not immune to inflation. As Orion Hindawi, CEO and co-founder of Tanium told the audience at Converge 2022, security teams are being told by their CFOs that they must justify everything they do and use all the tools they’ve purchased.
Tight budgets aren’t new for security teams, of course, but after a few years of being allowed to fully address cybersecurity needs, it will be an adjustment to ensure that protecting data remains a top priority. But how will these budget restrictions impact security?
What’s Worrying Security Teams?
When asked what security issues organizations and security leadership are most concerned about, Rob Lefferts, corporate VP, modern protection and SOC at Microsoft, said there’s a lot of fear; nation-state actors, ransomware gangs and geopolitical tension all make the list of worrisome potential threats.
“In the face of that, security teams feel overwhelmed,” Lefferts said at Converge 2022. And it’s no wonder. Organizations are seeing hundreds of alerts every day and no one has the time to look at all of them. When there is a problem, the right tools are lacking. What’s missing most is a lack of automation to detect and remediate problems, and threat actors are taking advantage of it. They know that if legitimate problems aren’t detected early, they can dig in and do plenty of damage, Lefferts said.
But in today’s economic climate, getting automation tools—and getting them in place—is not going to be easy. A lot of systems were built up over years and when businesses are acquired, merging security platforms, there is no real plan in place to pull a disparate security infrastructure together. There are clashes of culture within organizations that result in sticking with the status quo. And too often, vendors don’t help because they are selling tools that aren’t meeting the real needs of the organization, he added.
The Tools Paradox
It may be time to stop worrying about the threats you can’t do anything about, like those stemming from geopolitical tensions, said Kris Burkhardt, managing director, CISO with Accenture, in a keynote talk at Converge 2022. Instead, as budgets shrink, it’s better to focus on the things you can control, like tools.
There are so many niche tools, but organizations often don’t have the tools they actually need, Burkhardt explained. That results in a frantic search for other tools that will cover all the gaps.
“I’m scared to death there is some little gap that we didn’t see,” Burkhardt said.
One of those gaps that’s often being missed is the tool paradox—the crossover between users’ social lives and their work lives. Social engineering attacks are taking advantage of this crossover, especially with the proliferation of fake accounts on sites like LinkedIn and Twitter, and security tools haven’t caught up.
Putting Risk in Context
As security teams think more about how to work within a smaller budget, one thing to consider is your organization’s tolerance for risk. Specifically, recognizing that your organization’s tolerance isn’t going to be the same as anyone else’s.
“Context is everything in risk management,” Renee Murphy, principal analyst with Forrester, said in a keynote address at Converge 2022. With regard to endpoint risk in particular, Murphy said that this risk to one person or organization won’t look like anyone else’s because each organization and their endpoints are unique.
“Maybe I have an endpoint risk that says I need to turn on multifactor authentication,” Murphy stated, “But what does that mean for customer experience? What does it mean for employee experience? Not everybody sees risk the same way.”
Yet, there is a tendency to treat endpoint security issues in exactly the same way. If security teams can’t adapt tools or their platforms to meet risk management in the context of their needs, cybersecurity will suffer.
Security teams are going to have to rethink their approaches within new restrictions and modifications of the tools already in place. It’s not going to be easy, but there was one piece advice shared at Converge 2022 that may make security teams worry a little less: “It’s time to stop trying to make security systems perfect,” Lefferts said. Instead, make security systems work in the context of your own needs and address what you can control, he added.
