Investing in security technologies is a given for most companies today, and with stories of breaches and hacks making headlines every week, the importance of these tools has risen to prominence.
While there’s no shortage of security technologies to choose from, the big question that remains is: How does a company choose the right security investments? Many organizations struggle to implement the right tools to manage and mitigate risk, and getting all of these solutions to actually work together often presents an even bigger challenge.
With that in mind, here are three considerations that can help companies make the right decisions when it comes to investing in security technology:
1. Consider the big picture
A security tool is rarely, if ever, a standalone investment. Instead, it is generally part of a broader security and technology portfolio. In the grand scheme of things, however, what should a robust security portfolio look like? Unfortunately, the answer may not be as straight-forward as some people might think.
In 2013, 451 Research Director Wendy Nather published a research report titled, "The Real Cost of Security," in which she interviewed dozens of CISOs. The question she asked was:
"I'm a new CISO. It's my first day on the job in an organization that has never done security before. What should I buy?"
The results highlighted the alarming reality that even security experts couldn’t agree on a consistent answer to this very important question. Some respondents mentioned as few as four different technologies, while others recommended as many as 31. Nearly everyone caveated their answer with: "It depends."
Interestingly, the minimum baseline that was common to participant responses matched up to PCI and included both firewalls and antivirus solutions.
Does this mean compliance requirements should dictate security purchases? It’s definitely a contributing factor. But other elements can influence spending, as well, including benchmarking, metrics or evidence-driven approaches to identifying the security tools needed. An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted.
An interesting perspective was presented by Sounil Yu at the RSA Conference 2016. Yu, executive director for security innovation at a major financial institution, presented a cyber defense matrix showing asset classes (devices, apps, networks, data, users) compared against operational functions (identify, protect, detect, respond, recover).
While this is not a perfect model, it definitely could help enterprises evaluate their entire portfolio and identify where potential deficiencies lie or where there is considerable technology overlap.
Rick Holland, vice president of strategy at Digital Shadows and formerly of Forrester, coined the phrase "expense in depth" to illustrate that many companies will shell out money to add the latest and greatest technologies hoping to achieve the elusive "defense in depth." Without an overall plan, however, this approach often leads to overspending in some areas and underspending in others.
The unfortunate reality is that most organizations today are draining their budgets and resources by choosing expensive, disjointed preventative and protective solutions—a choice that falsely perpetuates the myth that this approach will be able to keep the bad guys out.
The cybersecurity landscape is in a constant state of evolution, changing continually and dramatically, so it’s time for companies to rethink security and stop playing outdated defensive games, such as adding more technology to the stack and hoping for the best. A patient attacker will eventually find a way to get in. To ensure that their security dollars are spent in the most effective way, companies need to start focusing on the things they do have control over: threat detection and incident response.
2. Remove redundancies
Companies are often poor at removing security products that are no longer needed or that provide insufficient or redundant capabilities. And security tools can face the same challenges that plague other legacy systems—such as vulnerabilities, bottlenecks and performance issues.
More than that, though, the deployment of redundant security products can end up hindering future purchases. For example, having an existing but ineffective endpoint security agent in place could prohibit the installation of a newer and more appropriate endpoint security technology because, on paper at least, the control already exists.
Security shelfware further compounds this issue. In many cases, a company might purchase a security product but never get around to fully implementing it or learning how to use it well enough to reap its full benefits. Consequently, such tools end up just sitting on a shelf and providing little or no security benefit, while again, existing as part of the security defense system on paper.
Many times, companies are distracted by the need to acquire shiny new products, and they overlook the capabilities already present within the products they have. However, rather than buying another tool, it's generally better to trim and streamline the existing portfolio. This not only improves performance, but it results in better integration, communication and, ultimately, affordability.
For this reason, comprehensive and unified security platforms that offer a multitude of features designed to work together can often be a far better investment for companies than a disparate compilation of point products.
3. Avoid confusing activity with accomplishment
Simply spending money on security technologies is not enough, and throwing endless budget and resources at a problem without a proper plan can result in security and IT professionals becoming very busy—but not necessarily productive.
For example, conducting regular vulnerability scans is a good idea, since companies need to know where their vulnerabilities lie. However, merely investing in a tool that performs and reports on these scans won’t necessarily be effective if the data is not output in a helpful way or if the tool is difficult to use. A more effective strategy would be to invest in the vulnerability solution, while also looking at the quality of its output and determining if progress is being made toward accomplishing security goals.
Don’t be fooled by security technologies that produce nice graphics and metrics. Instead, tie security investments back to overall objectives, and regularly check to ensure they are in fact contributing to outlined goals—and not just as individual products, but as part of the wider security portfolio.
Security spending is still a gray area
There is no well-established, cookie-cutter strategy for investing in security products. What’s most important is that organizations select the right tools for their unique environments and security risks rather than following the all-too-common approach of throwing money and resources at the problem without an overall security plan to guide purchases.
However, by focusing on threat detection and incident response, prioritizing a unified approach to security management, and following the above best practices, companies can take a major step toward mastering security technology investments—and that will be a win for both IT departments and the company’s bottom line.
This article is published as part of the IDG Contributor Network. Want to Join?