Security – a never ending money pit!
I’m sure you’ve either been on the receiving end of a request for more money for security measures or on the asking end. In either role its hard to understand where the “need” will stop or how to control it effectively. After all – layered defense is best, and the risk is real – so can you ever have enough security? Also with GDPR the penalty to a business if you leak someone’s personally identifiable information (PII) can be crippling – EURO20 million (approx £17.8 million) or 4% of annual global turnover – whichever is greater. I’m not suggesting for a moment that this is wrong – there is a need to hold businesses accountable for data loss / theft when they have been negligent.
But how do you determine where to stop?
Firewalls, reverse proxies, DDOS defences, antivirus, SIEM, dark web monitoring, phishing protection, user education, the list just goes on and as the attacks get more sophisticated the defenses multiply and increase in cost.
I’m not sure I have all the answers to this conundrum but I want to talk through some implications of the risk vs spend problem and possibly reach some general principles at the end.
More Tools leads to More Staff
For some time now I’ve been aware of and thinking about a balancing act –
Security Tools & Visibility: The more you spend on security tools the more you potentially see and have an obligation to act upon
Staff & the ability to act: The more you spend on security staff the more security events you are able to act upon.
Unfortunately this balancing act isn’t a “see saw” type – its not that the more you spend on tools the less you need to spend on staff.
This balancing act is more like the relationship between the weight a car needs to carry versus how strong its suspension and engine needs to be – the more events the security tools tell you about the more staff you need to respond to those events.
Where to stop?
My question then is –
Where is the right balance? At what point do I stop spending on security tools? At what point do I stop spending on security staff?
Some organisations might take the approach that they would rather have plausible deniability. If you don’t know about it you cannot be responsible for it – but this is at a least weak, and at most criminal.
Marriott hotels hired as their CISO someone who didn’t really know much about ICT Security – but this didn’t seem to make any difference to their culpability when they were breached – nor did it prevent their CISO from leaving the business.
In practice I think plausible deniability doesn’t help an organisation – it just allows blame shifting perhaps within an organisation and might save someone’s hide. But if you are responsible for the security then this approach won’t save your hide in the event you suffer a breach. There must be a better approach.
Risk based spending?
Some people believe that a risk based approach is best – quantify the risks presented by various cyber threats and spend based on the risk profile. I think this is sensible but it relies upon the organisation being able to reach a decision on which cyber threats present an “acceptable” risk and which don’t. The problem is that most organisations don’t start out saying:
“Well, we’re going to be breached – it’s inevitable – so lets spend some money on mitigating the risk.”
Rather organisations are more likely to start out saying something like:
“Well, its not certain we’ll be breached, if we are the theoretical maximum cost of the breach could be £x million, to defend against this will cost us £y. So let’s spend somewhere between nothing and £y.”
Then the organisation will make a “risk-based” decision not to spend any more on their cyber security.
A Pragmatic Approach
How do you move an organisation from believing a breach is inconceivable to believing a breach is almost a foregone conclusion? I think this has to be partially done by working through the risks and their cost implications if they occur. And how do you do that? Someone who understands the potential risks – i.e. what could happen – along with understanding the data the business holds and the impact of that data being lost or exfiltrated needs to work through the various scenarios and then present this to a businesses board or senior leadership. They then need to take a decision on what risk they believe is palatable or survivable and what risk is not along with how much money they are prepared to allocate to mitigating the unacceptable risks.
In practice you can’t prevent your organisation from being attacked but you can make your organisation less appealing than the next organisation in terms of a planned attack. I.e. if the industry standard for your particular sector is to have a perimeter firewall and antivirus on all machines but you have a perimeter firewall, antivirus, and something else then you will be above the bar in comparison to your competitors and thus less attractive to hackers looking for a quick win.
Any approach developed needs to contain both both preventative measures and reactive measures – generally the more you spend on preventative measures the less you will need to spend on reactive measures. But sometimes the border between these blurs- for example preventative tools purchased to identify and if possible automatically contain a breach, when they aren’t able to contain the breach, will need to alert a staff member to the breach for that staff member to respond re actively.
The right kind of tools
In general highly skilled staff are very expensive. This is also true in terms of cyber security – staff who are adequately trained around how to trace a breach and close it don’t come cheap. As such you want to make sure that where possible tools you purchase are able to respond automatically to threats and have the ability to learn and respond to new threats.
Tooling that identifies threats – potentially thousands of threats – but doesn’t group them together in an intellegent automatic manner and isn’t capable of responding to a large proportion of them is going to make the job you’ve given to your ICT security staff impossible. You need to select the tools you invest in with care to minimize the workload on your staff.
The right kind of staff
Your Cyber Security staff – the staff on the front line of the fight against a breach – need to be staff that are highly technical, capable of intensive focus for a prolonged period of time, and who are adequately protected from other work – this should be their primary focus. You should allow them to have proper and regular training in order to ensure they keep up to date with latest threats. This means that they cannot be viewed like service desk staff who just need to respond to tickets – they need to be given time to keep up to date, time to understand how a new threat works. They need to be working with your ICT architecture team to ensure that new threats where possible are mitigated through design and configuration changes rather than reacted to in an adhoc manner when they are actually exploited.
There need to be sufficient numbers of them to avoid burnout and to provide time for them to not be continually fighting to keep up.
There needs to be sufficient tooling such that they are only dealing with the most challenging of the threats – the others should be handled by the tools and service desk staff without needing significant effort from the security team.
How we can help
You know best what is typical in your industry but you don’t always know what is industry best practise or what are the best most cost effective improvements you can make to your ICT security. Sometimes working with a consultancy like AMDH can help you to understand better what threat vectors exist (how a hacker would gain access to your environment) and understand better how to defend against those. We work in partnership with our customers to help them understand how to better defend themselves and make themselves less appealing as a target.
Why not call us today to arrange a initial discussion?