Should your security budget change after the COVID lockdown?
With large parts of the western world starting to emerge from the Covid-19 pandemic and the associated economic impacts of lock downs and travel restrictions, businesses are trying to plan for a new normal.
Many organisations have shifted to place a larger reliance on cloud delivery of IT, a greater willingness to outsource non-core business functions (like security and digital marketing, for example) and the continuation of working from home arrangements for much of the work force. These changes together with the implementation of operational and security infrastructure changes has enabled businesses to remain flexible and effective.
So as IT security budgets are reviewed; what are the outstanding priorities to support these operational changes and what are the strategic investments for the future? What should be in your security budget for 2021/22 and beyond?
End-point detection and focus
For businesses being forced to operate with remote workforces, secure endpoints (user workstations for the most part) has been a critical area of focus. We were already seeing the rise of UBA (user behaviour analytics, often UEBA or SUBA) and an increase in the market for EDR (endpoint detection and response solutions). Now these technologies are evolving further into XDR (extended detection and response).
For all the focus on endpoints, however, there are still gateway systems at the network perimeter, stored data, web-based applications and an array of cloud-based and on-premise IT systems that are used by business on a daily basis. While there is an operational security need to get the balance right, too much focus on endpoints can introduce risks and blind spots:
- How to cope well with BYOD strategies (where end point technologies are not present).
- How data is controlled once it is being accessed or processed by third parties (who will have their own distinct endpoint approaches).
- How to protect the external server platforms (however hosted) that customers interact with over the Internet.
Any planned security spending should therefore contemplate not just the necessities of the changed work practices over the COVID lockdowns but also the return by many organisations to more reliable and trusted operational architectures.
Visibility and reporting
Another area where the security goal posts have changed is in cyber governance; almost a new phrase in its own right. As we have moved to digitally transform our enterprises in recent times we have, in many cases, unwittingly added to our attack surface. The integration of business and IT operations has meant that business is required by regulators and 3rd parties, more generally, to have visibility of and the ability to report on security risks, the operations processes and the status of controls. That is to say – cyber “maturity” or “posture” metrics have become increasingly important.
The wider digital transformation agenda, at least in part driven by the need for greater operational efficiencies during lockdowns, has led businesses to increasingly look to streamline and automate their processes. Improved service to customers and operational controls have been achieved through the addition of digital analytics, machine learning and process automation to business operating models.
Just as this transformation has digitalised business operations, so too has it digitalised security operations and compliance monitoring and reporting. The integration of these levels of technology into business process has implications for senior executives and boards in their greater responsibilities and accountabilities for ongoing operations. IT and business operations, and indeed governance, have never been more interdependent.
As a result, there is now less willingness by regulators, and as a consequence boards, to accept that security risk management can be “outsourced” or that a lack of knowledge is an acceptable excuse for failure. With this digital transformation, the accountability for security risk and its management is clear. No senior executive or board member wants to be in the invidious position of mis-reporting or not knowing the security posture of their enterprise. It’s now part of their broader responsibilities.
Assurance around core security controls
In business, a common set of financial, legal and social frameworks and controls provide a platform for reliable and trustworthy commercial interaction. As we move towards our digital future, with its expanded levels of cyber risk, a verifiable measure of cyber posture will undoubtedly become part of a broader commercial platform.
While the specific set of controls that comprise good cyber posture may vary from jurisdiction to jurisdiction they invariably include:
- Patching operations systems and applications
- Good passwords
- Controls on applications being installed and used
- Anti-malware software
- Blocking macros in documents
- Limiting administrative access and user privileges
These controls are so foundational that sometimes they are referred to simply as “security hygiene”. When it comes to “hygiene” or “cyber posture”, however, the effectiveness of these controls can vary so what’s important is not whether they’re in place but rather, how well they are operating. The greater the shortfall in control effectiveness, the more vulnerable the organisation is to attack. To improve cyber posture, identified risks need to be mitigated and the gaps verifiably closed.
As demands for good IT governance increase from both boards and other stakeholders, organisations need to allocate funding to tighten their security controls through sound systems that measure and report evidence of that fact.
Optimising security workflows and response processes
The last obvious area for post-pandemic investment is in things that directly benefit the accuracy and effectiveness of security processes, operations and workflows.
With resource constraints impacting almost every facet of security operations, security leaders must regularly review their processes to identify tasks that limit the effectiveness of their team’s time and effort. Skills shortages and cumbersome processes mean that security teams are often under resourced, over worked and struggling to make tangible improvements in these security efforts.
Much has been made about automating the threat detection, alert handling and incident triage processes. Data volumes and an ongoing reliance on analyst-driven analytics ensure that threat investigation and response remains a specialist critical path activity. Hence the need to streamline and automate SOC processing.
If businesses can optimise the efficiency of their security teams by simplifying alerting and minimising handoffs between SOC processes, and combine that with a greater understanding of the nature of threats, SOC teams can make significant strategic efficiencies to the overall security management process.
By investing in something like the power of the MITRE ATT&CK® framework- to integrate their decision making with the contextualisation of threat observations, the speed and accuracy of analyst decision-making can be instantly improved.
These efficiencies and improvements are likely to be some of the areas where investment will deliver the most benefit in 2021/22 and beyond. If security teams can be funded to “catch up” post-pandemic through improved risk management efforts and posture, and threat responsiveness hastened by better contextualisation, some of the concerns that emerged during the COVID hiatus about falling levels of security will be quickly addressed and resolved.