Many economists are predicting imminent worldwide recession, including such authorities as the International Monetary Fund and the World Bank. In my conversations with experienced CISOs, across EMEA and across all sectors, the mood is often sober: topics such as budget cuts, RoI and spending moratoriums crop-up frequently. So how should this affect cyber security strategy, and how may it actually create a stronger outcome for businesses in the face of these pressures?
We need to start with an understanding of the context. For many years, cyber security teams have increased their annual budgets. In 2017, worldwide spending on cyber security stood at $34 billion. By 2021, that figure had risen to over $60bn, a 76% increase.
These are massive figures and significant increases, but given the equally inflationary volume and severity of cyber-threats, the rise is not difficult to understand or explain.
ECrime is rampant – and continues to accelerate on an annual basis. CrowdStrike research shows an 82% increase in ransomware-related data leaks in the last full year, recording 2686 incidents in 2021, compared to 1474 in 2020.
The cost of a successful ransomware attack has similarly ballooned: in 2021, observed ransomware-related demands averaged $6.1 million per case, up 36% from 2020. And the true costs of successful ransomware attacks are, of course, much higher than the initial ransom demand. Disruption to the business, the cost of investigating, repairing and remediating systems, legal costs and reputational damage might double the impact. Then, the increasing tendency for eCrime groups to exfiltrate data for a second round of extortion, and to revisit companies they’ve successfully breached in the past, potentially means the costs will continue to spiral long after the initial attack.
Tactical security vs strategic focus
All of this has led to something of a cybersecurity arms-race, with the increasing likelihood of attacks, together with the equally escalating costs of a successful breach, leading to blank cheques for security chiefs to licence whatever tools they deemed necessary to contain the risk.
But this inflating level of expenditure has not, unfortunately, led to companies attaining an unassailable cyber-nirvana in which companies are immune to attacks. Quite the opposite: today, there are more breaches and they cost more than ever.
At many businesses I’ve consulted with, it’s not uncommon for security departments to have 90 licensed cybersecurity tools at their disposal, and some have many more. This is partly because cybersecurity purchasing has historically been tactical at many companies: a threat (real or theoretical) is revealed, a solution developed, along with a great sales pitch, and the next-big-thing soon becomes a part of those companies’ security arsenal.
But this tactical tendency often has three negative outcomes:
- In many cases, these new tools are never properly deployed. The solution wasn’t quite what was expected, proved difficult to roll out, the appropriate stakeholders never bought into it, or another item rose to the top of the agenda and the project was waylaid.
- Otherwise, the tools were deployed but they never really became core to security practice – they’re ultimately just another source of noise, generating duplicate alerts for events already covered by other tools, or extra alerts no-one is sure how to respond to.
- In still other cases, old-fashioned tools like signature-based antivirus, or SIEM, remain in the rollout through habit, long-past their sell-by date. They create further distractions.
This sorry set of circumstances – tighter budgets, rising threats and short-termist technology decisions – may appear to be a disaster in the making. Without action, that could well be the case. But it also presents a considerable opportunity for many companies.
Opportunity out of emergency
Complexity is the enemy of cybersecurity: it creates distraction, where clarity is key; it divides priorities, where focus is required; it consumes resources, where they need to be conserved.
Our current dilemma with the recession is an opportunity to sweep away this costly, risk-inducing complexity, and instead establish focus, clarity and a single source of truth.
Consolidating cybersecurity efforts into a single, best-in-class platform which brings together capable tools that cover all the angles has never made better sense. How is it logical to work with a slew of different vendors and different approaches to cover threats? Cybersecurity has a well-established and effective set of tools and principles, which work best in concert, as opposed to competition.
The road not to take
Effective cybersecurity is not a discretionary expenditure for companies: the risks are too high and too common to avoid. Every company needs next-generation antivirus, endpoint, network and cloud detection and response, threat intelligence, XDR and Zero Trust identity protection.
This is a broad set of tools, but there are definitely ways in which security departments can make their lives easier or harder; the protection they deliver, more or less effective, and their budgets more or less justifiable…
They might buy seven different tools from seven different vendors. But they shouldn’t. Notwithstanding the individual excellence of any of these tools, or their price, this would be the harder, more inefficient, less effective route – seven platforms, seven sets of notifications, none of which are aware of each other. It’s a recipe for chaos, however effective individual tools are within that system.
The better, easier, more effective and efficient path is to consolidate around a single platform comprising best-in-class for each of those tools, in which a single pane of glass can deliver all of the vital information administrators need to be aware of, and where detections and intelligence from each part of the platform are integrated with, and reinforce, every other component.
Three forces
If more difficult macroeconomic conditions might be said to have an upside, it’s that the resulting process of rationalisation and consolidation has three, fairly obvious, potential advantages for companies.
First, it forces a strategic lens on cybersecurity. All the bases need to be properly covered, for sure, and that won’t happen by moving to the cheapest options. But nobody needs 90+ tools to accomplish what needs to be done. Taking a new, strategic overview to the toolkit will benefit almost every company.
Second, this rationalisation will root-out duplicated, deprecated and ineffective investments. Licences acquired on a whim, in response to a temporary situation, because they’ve been there forever, or were purchased after a convincing sales pitch, can quite correctly be retired, to the benefit of the company’s bottom line.
Third, and perhaps most importantly, cybersecurity becomes stronger, leaner and more effective when a truly integrated, focused, self-reinforcing approach is adopted.
Share
