Imagine paying for a small lock on your house every year. Burglars continue to break in despite what you think is a strong security deterrent. You spend the same amount every year on this inadequate security despite the different products on the market that promise to protect your home better.
This is what some security experts believe enterprises are doing on a larger scale. Those on staff who are doing the budgeting might blindly write the same amount into the security line every year. Or the C-suite might handcuff the security personnel with a tight budget that doesn’t allow for expansion into new security products.
Mike D. Kail, Chief Innovation Officer at Cybric, said the topic of increasing cybersecurity budgets seems to be in the news every day, but unfortunately there also seems to be a large-scale breach to match that. “Tactical purchasing of point-solution tools is not helping, and CIOs/CISOs need to start investing in strategic platforms and frameworks."
451 Research found a misalignment between current threats and the appropriate defenses needed to truly protect an organization’s assets from compromise. To the extent that security spending continues to increase each year, a defensible argument could be made that, at worst, much of that money is being wasted or, at best, not adequaetly allocated.
“Simply put, as our corporate boundaries become increasingly porous and our resources are on the move, traditional endpoint and network security approaches are no longer sufficient in and of themselves,” 451 writes in its report.
Dan Burke, vice president at Globalscape, said the issue is a version of “if it ain’t broke, don’t fix it,” but the problem is that too many organizations don’t know that their security is vulnerable. They may have even been breached, but simply don’t know it yet.
The threat environment is sophisticated and constantly changing, requiring that companies constantly adjust the layers of their security architecture based on new and evolving threat vectors and actors, Burke said. Companies may still be relying on traditional firewalls even as more employees and systems go mobile or as workloads move to the cloud; running antivirus with the belief that it will stop sophisticated attacks or phishing.
“Then there’s the risk in trying to squeeze a few more miles out of obsolete tech, like an unsupported OS or unpatched applications,” he said.
Nir Polak, CEO and co-founder of Exabeam, said, "We have not seen a period where security teams are as hamstrung by legacy costs as they are today. This is primarily because effective analytics requires data capture, and all of the leading solutions for data collection and search are priced based on the amount of data collected. This didn’t matter so much 10 years ago, but as the volume of generated security has grown, data management costs have overrun security budgets."
Javvad Malik, security advocate at AlienVault, said enterprises are often poor at removing security products that are no longer needed. Although, given the number of legacy systems in use, it's a problem that extends beyond security.
“Shelfware is a problem in security,” he said, referencing research he presented at RSA a few years ago.
“It showed that many enterprises purchase security products but then never actually properly implement them and leave them on the shelf. Many times, blinded by shiny new products, enterprises can overlook the capabilities already present within the products they have. So rather than buying another tool, it's better to trim and streamline the existing portfolio.”
Mike Eisenberg, vice president of CISO Services at Optiv Security, concurs. “We definitely see organizations that have bought a product, say, six months ago, and it hasn't even been taken out of the box. Or, if the product has been implemented, it's not being used properly. And, even if it is being used properly, the organization is not tracking its effectiveness. This leads to products becoming outdated or just plain ineffective. You can see where resources are being wasted and how security programs suffer.”
Research from 451’s Voice of the Enterprise survey on cloud computing shows that the security tools that are most important in the ‘old world’ — firewalls, anti-malware, etc. — are less relevant in the cloud.
Sam Curry, chief product officer at Cybereason, says security is like the growth of a coral reef over time with new growth happening on the calcification of older coral. The whole pushes out over time with the volume growing. “Here’s how a typical CISO plans a budget: someone from the CFO’s office says 'time to do your budget for next year, so I took your spend from this year and moved it forward ... and you have to cut x percent' and then the negotiations start.”
Security products have technical debt to address, he said, and have to add new “enterprise features” and facilitate what he calls “security hygiene” more and more (like aiding audit policies, supporting new platforms, checking for security policies on authentication attempts or logging and so on). “Meanwhile, the bad guy is adapting and finding ways around this. The net result is that the older security products aren’t innovating and tend to become more security hygiene focused and part of the legacy, statutory spend,” he said.
The newest tools are those that are at the cutting edge of stopping bad guys. The struggle for the CISO is to free up discretionary money to make some bets on these high-risk tools.
“The best CISOs are the ones that put pressure on the low-value, high-cost incumbents to make a few bets on new, cutting edge, less mature offerings that can actually stop bad guys,” Curry said. “Commodities should experience tremendous price pressure, so ignore brand, ignore hype, ignore the footprint they have in your IT environment and put them through the grinder to make the spend proportional to the value and make more bets on the new, young, colorful coral growth in the security game.”
Richard Henderson, global security strategist at Absolute, said security spending decisions aren’t always clear cut. "While in some rare highly-publicized exceptions in high finance, where security staff have been told they have a virtual blank check for security tools, enterprise security teams have limited budgets and have to pick and choose how their dollars are being spent.”
The real question that CSOs and CISOs need to answer is how effectively the budgets they have are being spent. Would the hundreds of thousands of dollars they spent on a best-of-breed tool have been better spent on another tool from another vendor that may not have scored quite so high on Gartner’s Magic Quadrant, but integrates much better and easier with their current security infrastructure? How much extra cash is it going to take to get an existing team up to speed on deploying, monitoring, tweaking, and tuning the new shiny tool? What’s going to deliver better long term return on investment?
Yitzhak (Itzik) Vager, vice president of Product Management and Business Development at Verint Systems, said many companies tend to spend too much time and resources on selecting best-of-breed point tools, without taking into account how they fit in and work within their existing security infrastructure.
“Fighting today’s sophisticated threats requires a holistic approach. Companies are better served if they invest in a unified platform integrating multiple tools to provide complete visibility across the threat chain. Even better, the platform will be completely automated, more quickly detecting, investigating, and halting most attacks, allowing cyberanalysts to focus on stopping more complex attacks,” Vager said.
Simon Taylor, vice president of products at Glasswall, said the larger corporations are caught in a cycle of security spending that they can't break.
“Despite the industry’s own admission that they cannot prevent a zero-day attack and that the cyber criminals are always one step ahead, no one wants to be the C-level executive that turns off the current failing border security. In fact, the trend has been to add ‘more bricks in the wall,’ or layers of security in the hope that at least one of the products can prevent a targeted attack,” he said.
Simon Taylor, vice president of products at Glasswall
While there is complacency in some sectors at the board level, Taylor said, change is coming in the EU with the impending General Data Protection Regulations taking effect in 2018 and the recent announcement of tighter cybersecurity regulations affecting the financial sector in New York State. “If the businesses don’t get their act together fast enough, regulators on both sides of the Atlantic will be forcing the issue,” he said.
Markus Jakobsson, chief scientist at Agari, said there are several reasons why enterprises are not updating their security technologies at a fast enough rate. There is a lack of prioritization and awareness across the C-suite about today’s security risks and the technologies needed to address them. Updating a company’s technology is a big process and financial investment, so all company executives need to be on board and champion these initiatives from the outset.
“There is also a lot of reluctance from enterprises with changing their security technologies because their strategies are negatively reinforced. If a company has never suffered a breach, their technology must be working, right? Why change it?” he said. “This type of attitude is extremely dangerous given today’s rapidly evolving threat landscape. It’s not a matter of if, but when, a company will suffer an attack.”
Ajit Sancheti, CEO and co-founder of Preempt, said "If you assume that most enterprises have been breached, then security strategies have to include spending on software that can identify threats on the internal enterprise network. Many security professionals believe they can identify and prevent these threats at the perimeter and are focusing their budget there. That strategy is flawed. One breach can negate all of that spending."
Jason Macy, CTO of Forum Systems, said too many enterprise organizations are committed to a legacy posture and an umbrella approach to cybersecurity. “Threat vectors have completely evolved and today’s defenses require both perimeter and internal security. While traditional solutions are a component of an overall cybersecurity strategy, a reliance solely on legacy technology puts organizations, customers and partners at substantial risk,” he said.
If a technology — such as antivirus, firewall, IDS, SIEM, access control, vulnerability scanner — hasn’t changed in a decade, what chance does it have to actually stop a modern threat, Curry asks. And at what point does carrying the massive weight of the security hygiene products actually create too much noise, distraction, blind spots and false security?
Has cloud changed the security spending landscape?
While the experts CSO Online consulted mainly agree that the traditional enterprise network needs to be maintained, there is also the move toward spending on the cloud and services. In many cases IT staffs must try to bridge the old and new.
The IDC survey “Security Survey Analysis: Growing Interest in Data Security, Endpoint Security, and Network Security Products” looks at the conundrum facing security pros.
"It’s not that the security buyer is stuck in the past; it’s that they are forced to maintain existing architecture while developing a security story for the future. Given that budgets aren't growing lock-step with digital transformation, it’s an unenviable task to find ways of securing new architecture and service delivery models," said Sean Pike, Program Vice President, Security Products and eDiscovery Information Governance at research firm IDC.
John Morello, CTO at Twistlock, agrees that the cloud and Devops are changing enterprises’ operational approaches and technical architectures, but many organizations haven’t adapted their security spend to align with these trends. Instead, many organizations are locked into multi-year support agreements for perimeter firewalls and traditional desktop anti-virus that are largely irrelevant in a world where apps and data mostly exist outside the network.
Rohit Sethi, COO of Security Compass, thinks the bigger story around misaligned budgeting is that companies are allocating 4 percent of their budget to application security but security of their software — including that built by third-party vendors — is one of the largest risks according to the Verizon Breach report. “Broad information security framework and compliance standards pay scant attention to application security which may be, in part, driving this budget allocation.”
Paul Querna, CTO and co-founder, ScaleFT, said security budgets have traditionally focused on protecting the perimeter, however the rise of cloud computing and the mobile workforce have broken down those walls. Companies that have recognized this have begun their own security transformation, redesigning their architecture from the inside out. This means that the spend will shift away from traditional products such as VPNs and firewalls to more cloud native solutions.
Not surprisingly, when vendors were asked what security technologies that were being underspent, they quite often cited the market their product lies in.