The cyber security market is broken, and the major culprit has been a detection-based reactive mindset propagated by the big-budget security vendors trying to sell us more tools. That has made the job of an everyday CISO noisier and less safe. Instead of stopping breaches, detection vendors try to convince us to spend more on new mousetrap modules. Meanwhile, the adversary rats find clever ways to move lateral to the crown jewels and go undetected. The market has become focused on glamorous dashboards and data reports that try to lull us into a feeling of safety. That’s proven to be a false sense of security.
But what really happens when there’s a breach that the expensive detection tools missed? The unacceptable answer is that they’ll sell you yet another layer that costs more. Those same vendors who sold you their AV will come back with their NGAV, and then EDR, MDR. Now it’s XDR. More telemetry, more noise, more complexity, more to buy. Yet the number and impact of business-interruptive attacks continue to climb year over year. Where does it end?
Although the COVID-19 pandemic has slowed the overall economy, the fact that stock and earning results are up for the big herd cyber security companies means that more organizations are simply spending more money on more tools to protect themselves. This is good news for the vendor community, which has seen incredible growth overall as more organizations pay closer attention to their security. Ideally, an increase in IT security spending should mean a corresponding reduction in the risk of experiencing a damaging cyberattack. More money spent, more security - right? Wrong. That corresponding risk reduction has yet to materialize. The daily news we read about significant breaches is relentless. To calm those fears, the same over-promising sales rep will be trying to sell you yet another noise rattle module with XDR.
The economic impact created by COVID-19 will undoubtedly put downward pressure on non-discretionary spending areas like security. Enterprises have been hyped into buying more as a means of staying safe and were consequently oversold with too many layers, modules, slick dashboards, and embellished vendor claims. Companies of all sizes will need to recognize the hard truth that security budgets were already overweight before the pandemic, and many existing areas of spending were not needed in the first place or simply failed the most basic expectations.
Before the pandemic, companies have tried to gain efficiencies somewhat successfully by offloading tasks to software automation. The SOAR market, which was quickly acquired by deep pocket vendors, was born out of a simple efficiency gain for SOC analysts. However, it was short-lived and this automation really only addressed automating the remedial low-level manual tasks. The staff burden created by the deafening noise of reactive tools has created new problems. In fact, according to recent research from ESG, organizations' fascination with buying more tools and their consequential complexity have made the cybersecurity skills shortage worse with over 70% of companies claiming their organizations are impacted.
When budgets come under pressure, it forces a disruption in any market—and the security market is long overdue. It becomes a forcing function to do more with less. Better security does not need to be compromised. There are fundamental areas around building basic IT security hygiene procedures that are free and don’t cost a dime. This is a topic for a different discussion, but suffice to say that organizations can take down a meaningful amount of risk by nailing the basic hygiene items very well.
Companies can also cut out the redundancy in the existing tools they've bought. For example, if a core set of security controls are part of your existing agreements, or embedded for free in your Windows 10 OS, it does not make sense to continue paying a 3rd party for those same baseline capabilities. It makes logical sense to adopt what can be leveraged for free and reinvest savings into more strategic areas that have a higher reduction to risk, especially when those areas simplify your environment and integrate out of the box with your Microsoft environment. Organizations also need to take stock of the hyped security tools they’ve bought and ask themselves if the promise of what they’ve been sold actually meets the expectations sold to them. Today, most major organizations use over 100 security tools on average. Undoubtedly, many of these provide little value, and most likely contribute to the burdensome complexity security teams face. If those tools were based on reactive detection tools spitting out alert noise when the actual attacks slipped by, the answer is obvious.
Within the increase in IT security spending is a corresponding uptick in money paid to managed services providers. These are experienced security professionals who conduct vital services such as threat hunting or detection and response for their customers, allowing companies without a security operations center to take advantage of one.
Managed detection and response is the core service on offer here. MDR allows organizations without a SOC to leverage endpoint detection and response tools without needing an internal resource to investigate the average of 10,000 alerts per day an EDR tool generates.
Vendors have benefited substantially from this increase in spending on MDR services. But have they helped reduce risk overall? The answer appears to be no, as the cost of cybercrime continues to increase; in 2019, RiskIQ identified that cybercrime costs enterprises $2.9 million every minute. This works out to $1.5 trillion for the full year, with a number that’s only going to increase.
Beyond MDR to detect and mitigate potential damage, CISOs have spent thousands of dollars on platforms that amount to fancy mousetraps and slick user interfaces without any appreciable risk reduction. All the additional spend on things like EDR and advanced threat hunting has done is increase the cost and complexity in most organizations.
The COVID-19 pandemic has exposed a lot of the budgeting failures in information security. As entire workforces shifted to working from home at the same time, and the use of virtual desktops skyrocketed, CISOs and CIOs confronted absolute security anarchy.
Remote employees were suddenly outside the additional security layers of the corporate network, including those with access to critical information. This left them open to attacks that network security platforms and other corporate-deployed security stacks couldn’t prevent. VPNs and VDI could counter some of the issues, but not everyone had or could deploy those solutions quickly.
Ultimately, security teams were left with security stacks that didn’t properly function with distributed workforces--the reality they confronted as COVID-19 brought entire economies to their knees.
This exposed the rotten truth that cybersecurity spendings are too fat and wasted on slick user interfaces where CISOs can make it appear like they’ve reduced security risk where the reality is that the organization is still as much at risk as it was before COVID.
Simply put, there is too much spending and not nearly enough ROI for the money.
Cybersecurity spending is likely to go down as economic conditions continue to worsen. Gartner has already recognized this; they revised their guidance for spending increases down from 8.7% to the 2.4% growth rate that they’re now expecting.
With the lack of ROI to show for the investment, cybersecurity and IT teams are going to be forced to make budgetary decisions. One of the quickest ways to reduce spending is to look at redundant tools. Windows 10 machines have the leading antivirus program already built-in, so there’s little reason to continue paying money to a third party for what amounts to a compliance control.
Antivirus isn’t the only endpoint protection solution either. Platforms like our new Morphisec Guard solution are designed to secure critical infrastructure against advanced attacks without expensive services spend or false positives requiring a dedicated security resource to investigate.
COVID-19 has revealed some critical mistruths in a lot of popular narratives about cybersecurity. One of the biggest is that spending more money on fancy new tools automatically means that your security will improve. If that were true, then as cybersecurity budgets increase we’d see a corresponding decrease in the cost of cybercrime.
We haven’t seen that decline, which leads me to believe that spending more and getting better security is a lie the vendor community told for their own benefit. Something has to be done differently, otherwise, spending will continue to increase and organizations will be no safer than before.