CYBER RISK NEEDS NEW SOLUTIONS
This year, companies will spend more than $23 billion on cybersecurity, according to ABI Research. That is a lot of money, yet cybercrime doesn’t appear to be slowing down. If one looks for a return on investment, cybersecurity comes out quite poorly, and there are many anecdotal accounts of companies that spent big and still fell victim to online crime.
Why is this happening? The problem doesn’t necessarily sit with security technology but rather with how the technology world has changed, says security monitoring provider Encore’s co-founder, Lior Arbel.
“Today’s business technology estates are much more complicated. They have many more layers, they often operate beyond the business’ secured parameters and they are tougher to monitor. Businesses try to address security risks by focusing on specific areas but they often don’t connect the dots into an overall view of their entire security environment,” he says.
SECURITY FOR A COMPLICATED WORLD
Point security solutions illustrate this situation. These security solutions focus on specific challenges, such as device management or email security. They do essential jobs, and security is weaker without them. But when point security services remain isolated, they leave gaps that criminals exploit.
“Hence why more security doesn’t mean better security and lower risk. The issue often comes down to how companies think they understand security. They identify a problem, find a solution, motivate the cost and bring it into the environment. Then they find another problem, another solution and so it goes. Why does this happen? They focus on specific problems but don’t have that big picture. We often help businesses that have many security services yet still encounter problems. This is because they aren’t connecting the dots,” says Arbel.
Such companies also have many unintended overlaps between services, duplicated systems and underutilised features. For some, it is tempting to let go of so many different services and bring everything together under one brand. But Arbel advises against this.
“Consolidation must not be the only target. No one vendor can cover all your security needs. The constant march of new attack opportunities requires businesses to be more creative with their security investments and that means taking on different products that do the best job against specific threats. It’s not about consolidation, it’s about how we get all those pieces to work in harmony,” says Arbel.
CREATING SECURITY HARMONY
Security harmony is the key to reducing cyber risk. Like an orchestra, security only finds this harmony when it has central guidance, which many companies overlook. Fortunately, demand for a single view of complex security estates has led to an emerging class of software that audits and reports on the big picture and specific details.
Though many security products report their status, they focus only on themselves. Arbel explains: “Some cybersecurity systems have good reporting capabilities but they tend to use bespoke agents and data standards, so to get the bigger picture people spend many hours manually collecting and compiling that information to consolidate the data from the various systems. However, many don’t, so you need security auditing services that agnostically query all security and create reports that serve all that information in one format.”
Managed security service providers have encountered this problem for longer than most. Since they must understand entire customer environments, they cannot rely on narrow vendor-generated reports. Encore itself emerged as software used by sister company, Performanta, to audit customer estates. It wasn’t long before those customers saw the benefit of using such software for themselves.
“Our customers wanted that capability because it helped with their planning, managing SLAs, directing partners, and making the best use of their security staff’s time. And the major appeal is that agnostic audits helped them plan strategically for their risks. It stopped being about parachuting in another security service to meet a specific risk. They could see the big picture and address things holistically. They could also see where they were wasting money with duplication or under-utilisation.”
Companies of all types invest in cybersecurity. There is a general acknowledgement of managing the digital age’s risks. But unless companies can connect their dots and see the bigger picture, they will continue mitigating individual risks without genuinely improving their overall position. Hence why more security doesn’t reduce cyber risk, but smart security management does.
“Look for that big picture, and use third-party software that can deliver it across all your security investments,” says Arbel. “Don’t rely only on vendor reporting tools – they are great for specific services and appliances but not the big picture and you want to know about all of them in context. Fortunately, it doesn’t take a lot to introduce continual agnostic audits into your environment and it will be a change that keeps improving your business.”