Compliance & Legislation

December 10, 2017

We hear various cyber security quotes in conversations about threats and risks and the need to protect information. There are a few things that are perennially the case in the field of cyber security – they all hinge around really rapid growth:

  1. Growing threats
  2. Growing technological complexity
  3. Growing numbers of technical controls and solutions
  4. Growing regulatory pressures
  5. Growing reliance on third parties
  6. Growing demands for expertise and resources
  7. Growing public expectation, perception and understanding of privacy and security
  8. Growing staff costs and salary expectation for (often scarce) resources

These are all largely accepted truisms as can be seen from 1, 2, 3, 4, 5, 6, 7, 8.

However, the one thing that cannot be assumed to be growing, or at least growing at the same rate as these demand drivers, is the supply of security budget to the CISO, security manager or security team.

The 2017 IISP survey in the UK found that only 10% of security budgets were rising ahead of the increasing threats, and whilst a further 60% were rising they were not keeping pace with threat increases. Around 23% of budgets were either flat or falling.

This implies that there is a challenge in simply justifying security budget increases year-on-year – especially for businesses that might be struggling with wider economic pressures (low growth, cost inflation, flat revenues, increased competition, new market entrants, growing costs etc.).

The solution to a 50% increase in threats cannot be a corresponding 50% increase in security spend, there just won’t be the money available when other parts of the business (often revenue generating or customer facing parts) are also clamouring for budget.

Cyber security quotes: We need more budget for new solutions

Every year new cyber security solutions emerge. They might detect a certain type of attack, or offer this insight, or prevent a certain type of data loss, or eradicate a certain type of vulnerability. Often they do more than just one thing and also provide reporting or simplified management. They will, of course, have a clear business case for investing in them – and the vendor’s marketing team or sales people will explain this to you. And more than likely they won’t be matched or equalled by any of their apparent competitors – in fact they will be unique.

The decision seems simple – there is a benefit that outweighs the cost and no alternatives. Why not invest?

There are two chief reasons to be cautious – one is the gap between marketing and reality – as we all know, some products may not live up to the marketing and sales messaging; they will probably be harder to operate, probably won’t deliver the full returns and savings they claim and might not be quite as new or unique as indicated.

Secondly, and for this blog post most importantly, there will be a number of these solutions as well as others on the market and the available budget won’t stretch to cover them all, irrespective of how much money they save or risk they avoid because saving money or reducing financial risk doesn’t generate cash for the business; it just avoids losing it. A security solution might positively impact the bottom line (by reducing the losses or costs) but it won’t add to the top line (of increasing revenue).

As a result there will never be enough budget to spend on all the solutions that vendors would wish you to invest in or that you might identify as being beneficial.

Cyber security quotes: We need more budget for additional staff

Security resources are famously scarce There are several challenges with increasing the staff/resource budget. For one thing you will mainly increase it in whole numbers of people. You might be able to add a part-time role to the head count, but for the most part you will need permanent/fixed professional, full-time placements. If your current team of three is stretched and you want to hire one more person, that’s a 33% increase.

The greater challenge is not budget, however, but the attraction and retention of staff. Salaries are escalating due to the shortage of cyber skills and this same shortage means that even if you have headcount it might not be possible to find someone (at the right price) to fit. A vicious cycle can form where existing staff, fed up with being shorthanded and overworked, look for roles elsewhere and leave – so you have even more seats to fill.

This challenge isn’t going to alleviate in the short term (or even medium and long terms). Other workplace attractors might be equally as important as the staff salary budget, such as having leading edge technology, good training/development plans and an environment where security personnel can feel empowered, respected, valued and free to work the way they want to..

Cyber security quotes: We need more budget to handle all these new business projects

Business projects are continuously requiring security input

Security used to sit at the back end of the business planning/project process – it was a sign-off gate at best; where the security manager was often presented with a fait accompli to “approve” following a penetration test. Nowadays the security process is in most cases a more integrated one; with security architecture and approach decisions being made earlier in a technology project or business initiative.

One challenge has always been who pays for security involvement? Largely this comes down to whether security has the budget to support all the projects and initiatives or whether enforcing security in the project business cases makes the cost estimates disproportionate. Whether it is “the project” seeking funding or investment for security, or a security team seeking a higher level of resource to support the projects, the effort, controls, design work, assurance and validation has to happen somewhere.

The security manager of 2018 can hardly press the case for security to be involved in the projects the business kicks off at the early stages and through the process if there isn’t the funding, resource or bandwidth to actually carry that through.

Cyber security quotes: We need more budget to cope with an x% increase in threats/attacks/alerts

Threats are growing all the time

The last driver for growing the security budget is the rising challenge of the threats that businesses face. There are shortcomings in the way we develop, deliver and use technology that, if the security industry is honest, it just hasn’t solved. Viruses, users choosing poor passwords, privilege management, application code vulnerabilities like SQL injection, failure to patch systems, bypassed change controls, insufficient backup are all still problems today just as they were 20 years ago.

On top of that we have built technologies and systems that embroil the security function in a whole gamut of new challenges, BYOD, ransomware, cloud hosting, shadow IT, social media, collaboration platforms, Internet-of-Things devices, remote working.

The threat landscape has gone from a small number of expert hackers and ranks of “script kiddies” to a large, diverse and organised criminal and state-sponsored community that has its own Internet and its own currency as well as sufficient entrepreneurial and technical brain power to cause real damage.

This means more threats, and those threats being more severe. Hence new solutions, better response times, more comprehensive coverage and a much reduced ability to accept risk on the basis that “we aren’t a target” or that “it probably won’t happen” – you probably are and it probably will.

The reality of cyber security growth: Asymmetry

The reality of cyber security is that there is a huge asymmetry between the finite resources and constrained budgets and headcounts of a security function (either the operational side or the project side) and any and all of the following:

  • The size and sophistication of the attacking community, organised crime and foreign governments
  • The complexity, diversity and interconnectedness of technology
  • The innovation and rate of change in many businesses
  • The limitations of human users in terms of what we can expect them to learn, remember or be inconvenienced by
  • The range of cyber security products, solutions and services
  • The number of people with the ingenuity and freedom to try things who might want to cause mischief
  • The number of places where modern organisations store data on servers, endpoints, mobile devices, third party systems and in the cloud (both official and shadow)

This asymmetry isn’t going to be resolved anytime soon, and the gap is probably widening. Whereas budgets are increasing slowly, the size of the problem is growing ever faster and so for all our efforts the picture is becoming gloomier.

New thinking

What this means is that security approaches must constantly seek step changes in performance. Just adding on and improving the way things are currently done is unlikely to keep up. Advances in automation, machine learning and AI are good examples of techniques that enable systems to detect a greater range of threats with increased precision – and then to streamline, through automation, the processes that human operators might go through if they weren’t so overburdened.

Verifying and triaging threats can be done by intelligent systems as they occur, automatically gathering corroborating and supporting data, ruling out false positives and bogus alerts, enabling the creation of a complete and accurate dossier for real issues so that human decisions can be taken quickly, consistently and confidently. Once this point is reached the orchestration of IT services, systems, configuration and responses can likewise be optimised so that containment or resolution actions are swift, decisive and effective.

5 Step Cyber Security Benchmark Tool

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.