Taking a ‘risk-based’ approach to cybersecurity spend

Too many tools and services can cause confusion and prove a waste of spend.
30 May 2019

CISOs need to focus their defences. Source: Shutterstock

Ransomware, SQL injections, phishing scams, DoS attacks— given the range and diversity of the cybersecurity threat landscape, an extensive range of defensive weaponry seems a logical investment for today’s businesses.

It’s no surprise then that a study by Ovum found that most enterprises have up to 50 cybersecurity tools in use at one time. At the same time, however, the study revealed that two-thirds of organizations suffered a significant security breach last year.

As new threats develop, enterprises will spend on new solutions to defend against them and, as such, they end up with a ‘portfolio’ of tools, whose ROI is based on there being ‘no breach’ as a result.

For CISOs and their ilk, this measure of success can create a culture of “false positives”, according to Ovum’s Research Director Maxine Holt— a speaker at Infosecurity Europe 2019— whereby a glut of cybersecurity tools can both complicate matters and add expense to a company’s security standing.

Too much noise

Speaking to TechHQ, Holt explained that there are two main problems associated with having a high number of security tools. Firstly, they create “huge volumes of uncoordinated alerts” that must subsequently be investigated.

“Not only are there are false positives, but of greater concern is that a security analyst will miss a genuine alert that could cause problems in their particular organization,” said Holt.

Secondly, security teams may be reluctant to relinquish this arsenal because of the investment secured based on threat identification, without having carried out a ‘formal’ risk assessment to determine where their organization is most vulnerable.

“Discarding a tool means that firstly, the tool was bought in error, and secondly that it hasn’t done its job,” said Holt.

As the threat landscape becomes more complex, CISOs are, therefore, under mounting pressure to audit and coordinate this web of cybersecurity solutions and, at the same time, ensure that they are maximizing investments.

Where’s the money going?

The cybersecurity market is on track to hit a worth of US$70 billion this year. As threat actors get increasingly sophisticated and numerous, business is positively booming.

But most enterprise security investments are generally focused on prevention only. An attacker only needs one way in, and with the majority of vulnerabilities traced back to human error, no business is airtight.

While spending on preventative measures might not be slowing, businesses are beginning to integrate these types of tools, so alerts are increasingly “coordinated, orchestrated and contextualized”, explains Holt.  

However, businesses are becoming aware that not every attack can be stopped. As such, she expects that more spend will be directed to focus on detection and response software and services

ROI in these instances is no longer that of ‘no threat’, return on investment is instead based on ‘threat mitigated’.

Cybersecurity tool audit

While a CISO can integrate certain tools, however, others may have become surplus or not used to their full potential. It’s vital then that a cybersecurity tool audit is carried out before further investment is made.

This is best carried out by a combination of the stages of ‘cyber kill chain’, says Holt, a risk assessment model developed by Aerospace and defence company Lockheed Martin.   

Grouping threats into security control buckets of ‘prevent’, ‘detect’ and ‘respond’, an enterprise can review their existing tools and potential vulnerabilities, mapping them into a table.

“Having a visual representation like this helps a CISO understand where they have coverage already— including too much coverage— and where there might be gaps in the security portfolio,” says Holt.  

“This is where the ‘shift to the right’ happens, and enterprises focus security spend on detection and response.

“Where there is too much coverage, likely around prevention tools, the focus is on consolidation and integration, sometimes taking the decision to discard an existing investment.”

A risk-based approach

Working with an endless list of suppliers, a ‘spray and pray’ cybersecurity tool investment tactic might be effective against untargeted, generic attacks, where attackers have made little effort to research their victim. However, it will unlikely stand the test of time as threats become more sophisticated, and will prove a costly measure, particularly in smaller companies where the security function must justify its overheads.

“Determining return on investment is challenging for CISOs– the objective of security tools is to stop something from happening or limit the damage should something happen,” Holt explains.

“As such, they stay in the background and there is little opportunity to clearly demonstrate value for money.”

However, Holt suggests that CISOs support their security teams and prove their value by reporting on reductions in security incidents against a cybersecurity scorecard.

Taking a risk-based approach to cybersecurity investment ensures that money is spent on a smaller selection of tools that are relevant to the vulnerabilities of a particular organization.

The businesses’ security posture is therefore improved through layered security defences.

TechHQ is an official media partner of Infosecurity Europe 2019 (June 4-6). You can hear more from Ovum’s Research Director, Maxine Holt, on ‘How to Optimise Investment in Cybersecurity Tools, Technologies & Products’ on June 5 (14:40 – 15:30).