The secret that cybersecurity “experts” won’t tell you is that there is no direct correlation between the amount of cybersecurity spending and the quality of cyber resilience. Business leaders aren’t seeing a return on investment as cybercriminals are outpacing cybersecurity teams. Unfortunately, most of them are pouring money into leaky buckets—wasting resources on cyber defense that doesn’t hold up against the bad guys.
Here are three ways businesses misallocate cybersecurity resources and what to do instead.
1. Blind faith in “leading-edge” technology
A crucial component of cyber resilience is technical controls, but some firms keep jumping from the latest technology to the next, seeking a magic bullet. This obsession is counter-productive, leaving security teams struggling to configure, integrate, and optimize security tools as they pile up.
Don’t pile on the tech stack unnecessarily.
Complexity breeds vulnerability. Security misconfigurations increase, and the attack surface expands as you add more to your tech stack. For example, the average firm manages 130 security products, while mid-sized and small companies have 50 to 60 and 15 to 20, respectively.
Don’t invest in false security.
Spending millions on next-generation firewalls that enable unlimited network traffic is a wasteful expense. According to studies, organizations with more than 50 security tools are 8% less likely to mitigate risks and 7% less secure.
DO minimize cost and complexity.
Prioritize native cloud security over third-party security products to reduce expense and complexity. Data encryption, privileged access control, mobile device management, and security logging are native cloud security solutions that speed up installation and reduce complexity.
The cloud-native method is cheaper than third-party security solutions, which require expert services to integrate and maintain. Still, there are some situations when cloud-native solutions could be more effective. Best to assess the applicability of native cloud security technologies before switching to a new solution.
2. Premature hiring of permanent security
It’s common for some firms to hire CISOs and permanent security staff too quickly, mostly out of panic. Onboarding personnel before adequately evaluating their capability to address the business’s cybersecurity needs is a strategic mistake that blows budgets and exposes the organization to even more risk.
Don’t rush building an in-house team.
Researchers, malware analyzers, incident managers, forensic investigators, etc., are some of the essential skills needed to form a working security detection and response team. These resources are expensive. For instance, the current average salary of a data or cybersecurity manager is $144,940 annually.
DO consider third-party consulting.
An alternative approach is outsourcing the SOC function to specialist firms – including CISO-level consultants. Engaging an experienced cybersecurity service provider on a contract basis can boost detection and response capabilities without hiring expensive, permanent staff.
DO leverage global SOC resources.
Access massive data sets and advanced machine learning algorithms through a global SOC provider’s industrial-scale computing power. Outsourcing the cybersecurity function eliminates billions of false positives and sharpens focus on clear and present threats. Moreover, it accelerates the business’ cyber transformation while saving money from investing in bad permanent hires.
3. Over-fixation on security audits
Due to stricter data protection regulations, data security and privacy audits have increased dramatically. Cybersecurity teams often get buried in these ongoing audits, identifying too many issues beyond their capabilities to fix.
Don’t apply unnecessary pressure.
These costly and repeated audits take up a lot of time, distracting teams from their primary goal of safeguarding essential systems. Endless reviews and manual input on queries cause burnout on security teams—expending their time and energy on reports which become useless as soon as they are archived and forgotten.
DO plan to avoid audit-fatigue.
Make no mistake; audits are essential to maintaining cyber resilience. Consider the following tactics to unburden cybersecurity staff.
- To prevent redundant audits and cybersecurity staff burnout, engage the help of external auditors.
- Prioritize assessing high-value systems that support your competitive advantage, trade secrets, or most profitable business lines.
- Start with basics like high-risk supplier audits or privileged access assessments before moving on to complicated assurance tasks (such as red teaming or threat hunting).
Sustained resilience requires financial prudence
Cybersecurity leaders must rigorously evaluate every cybersecurity expense based on its capacity to safeguard essential digital assets and increase stockholder value. Otherwise, companies risk ballooning costs over a progressively weakening security posture.
CISO-as-a-Service: Strategic Security Within Your Reach
Finding and hiring a full-time Chief Information Security Officer (CISO) with the necessary experience can be challenging for organizations of any size. The right resource is critical to an organization’s security resilience and regulatory compliance.
UDT offers a unique service to the cybersecurity field: Chief Information Security Officer as a Service (CISOaaS). This service provides a client with the expertise to navigate the changing cybersecurity landscape without needing to hire an entire team.
What are some of the benefits of CISOaaS?
- No need to hire someone full time
- Leverage expertise from a pool of former CISOs
- Provide oversight and management of day-to-day activities
- Provide insight on reporting and cyber events
- Fill gaps in key strategic security components