As we hit the midpoint of the year this month, there are many corporations and businesses that are probably reviewing their departments and their budgets, and what has been spent versus what is not. Of course, hot on the list is the IT spend on Cyber security. Given the threat landscape these days, this is an area in which a lot of money is being spent. But the question often remains: Is it being spent in the right way?
At the present time, it is estimated that Corporate America spends about 75% of their IT budget just on the procurement and deployment of the prevention technologies themselves. Yes, this is obviously important, nobody wants to be hit with a BEC or Spear Phishing campaign. But that leaves only 25% left of spend for other areas of IT which need critical funding as well.
So just like how your financial advisor is always trying to find ways to fine tune your portfolio to meet you needs, so does the CIO to meet the security needs of his or her organization as well. But keep in mind, that the prevention tools are just one realm of Security based technologies that an organization can and should implement. Along with this, there are two other areas of technology which deserve focus as well, and they can be broken down as follows:
But first, let us put up a formal definition of prevention technologies first:
“These are products or services designed to detect and block a cyber threat before it succeeds.” (SOURCE: https://www.helpnetsecurity.com/2018/07/10/cybersecurity-portfolio/)
The typical examples of these include the usual firewalls, routers, hubs, network intrusion devices, all of the antimalware/spyware/adware software packages, spam and phishing e-mail detection systems, etc.
Now for the other two “buckets” of Security technologies:
*Detection and response:
“These solutions help identify and clean up a threat after it has infected a network. In other words, when an attack or malware makes it past preventative defenses, these products help IT learn about the threat and remediate it.” (SOURCE: : https://www.helpnetsecurity.com/2018/07/10/cybersecurity-portfolio/)
Examples of tools in this realm are typically the endpoint detection as well as the Security Information and Event Management (SIEM) software packages. Keep in mind here, that the Cyber attacker is now starting to get interested in attacking the endpoints of a security system. For example, the origination of a network connection to its terminating point. This is often an over looked area by the IT staff, as most of the focus has been on protecting what happens in between.
*Business continuity and disaster recovery:
“This bucket includes services and technologies that help recover IT systems and data needed to continue a business after a catastrophe, such as a cyber attack.” (SOURCE: https://www.helpnetsecurity.com/2018/07/10/cybersecurity-portfolio/)
Most of the solutions in this area revolve around using the Cloud and even Virtualization as a means of backup and recovery.
So, out of all of this, what is the optimal mix of these Security technologies that the CIO should deploy for their business? The recommendation, or the allocation is as follows:
75% on Prevention
25% on Detection and Response
25% on Back up and Recovery
However, other analysts have come up with another mix broken down as follows:
50% on Prevention
30% on Detection and Response
20% on Back up and Recovery
Interestingly enough, Cyber security experts are shying away from spending too much on the existing Security technologies when it comes to Prevention. Instead they are favoring investing more in tools such as Artificial Intelligence, Machine Learning, Neural Networks, etc.
The primary reason for this is that as mentioned, the Cyber threat landscape is always changing, and the existing technologies just simply cannot keep up with this pace. You need tools that can not only analyze what is happening in real time, but also has the ability to predict what future threats will look like as well.
But, why the shift to an increased deployment of Detection and Response based technologies? Well, according to the latest Cost of a Data Breach study from Ponemon Research, it can take as long as 190 days for a business or corporation to actually take notice that their network has been infected with malware. All I can say is “yikes!!!”, that is just way too slow.
Given the sophistication level of the Cyber attacker today, terabytes and even petabytes of data can be stolen in just a matter of one hour. During those 190 days, the Cyber attacker can multiple Identity Theft attacks based upon the data that they have stolen, and he riding off into the sunset. Cyber security analysts are now heavily favoring into endpoint security tools as well, primarily for the reason just described.
With regards to backup and recovery, Cyber security analysts are obviously favoring heavily towards using the Cloud for such purposes, both from a cost and efficiency standpoint.
There are many Cloud deployment models that an organization can choose from, but the Hybrid Cloud model is gaining quite a bit of attention. Also, interest in purchasing Cyber security insurance is picking up, as the costs of downtime and recovery are just way too staggering for a small business to deal with.
Obviously, how an organization spends their IT budget on Cyber security is heavily dependent upon first, how much money that they actually receive, and second, what their own security requirements are. The recommendations are just guidelines just like a model financial portfolio, and are not set in stone by any means whatsoever.
But as I look at these professional allocation recommendations, I am aghast to see that employee security training and awareness workshops are nowhere to be found. Does this prove that once again Corporate America is still too dependent upon technology reliance rather than human vigilance as well in order to thwart off Cyber attacks?
Remember that employees, contractors, third party vendors, etc. are very often the weakest link in the chain for any organization. Resources need to be devoted as well here.
Finally, much more granular recommendations as to how a Cyber security budget should be allocated and spent is available via a great whitepaper from the SANS Institute, and it can be downloaded at this link: