More Money, More Problems? The Reality of Cybersecurity Spend

April 17, 2024

Written by KJ Stillabower, Executive Advisor

Regardless of their maturity posture, most organizations feel they are under-investing in cybersecurity.

But are they? Or is it more about investing effectively instead?

At a Glance:

• Enterprises are on their third or fourth lifecycle of security evolution, having faced multiple “wake-up calls” over the past 20 years.

• Security budgets are cyclical, and organizations often spend through fear and reacting to headlines, driving significant inefficiency.

• Opportunities exist to tailor an enterprise strategy to focus on specific threats, reducing cost and improving outcomes.

• Balanced and tailored approaches improve outcomes for businesses to not only be more secure, but also to react better to market opportunities and provide a better user experience.

Nearly every day a new story details another cyber disaster.  It can be a hospital that was crippled by ransomware or nation-state level espionage involving advanced malware injection.  In the ever-evolving landscape of cyber threats, it's easy for organizations to find themselves overwhelmed by the threats they face, both real and perceived. Gartner says nearly a quarter trillion dollars will be poured into cybersecurity this year chasing after the promise of impenetrable defenses. Yet, the harsh reality often reveals a different story: overwhelmed security teams, sprawling digital estates, and a sense of fighting an unwinnable battle. It begs the question: Are we equipping ourselves with the right tools, or are we merely adding to the noise?

Know Your Threat Model

At the heart of any effective strategy lies an understanding of the situation you are likely to face.  Security is no different, and starting with an in-depth understanding of one's threat landscape is often the first, and most importantly overlooked step in the process. It's not just about acknowledging that threats exist - it's about knowing which threats are most common and most impactful to your organization. The threats facing national utility companies, financial exchanges, defense suppliers, and health insurers are all very real, but vastly different. 

A large utility faces the threat of sophisticated actors aiming to disrupt power grids, posing not just a corporate risk but health and safety as well as national security challenges. Contrast this with a financial exchange, where the primary concern is the integrity and availability of trading systems, making them a prime target for cybercriminals looking to manipulate markets or steal sensitive financial data. A defense supplier, on the other hand, guards against espionage and sabotage seeking to compromise supply chains or steal sensitive defense technologies, where the impact goes beyond financial loss to national security concerns. Lastly, a health insurance provider deals with vast amounts of personal health information, making them a target for cybercriminals intent on committing identity theft or fraud. While the motivations and impacts are different, each face real and serious threats that require tailored approaches to prevent, detect, and mitigate potential incidents.

At its core, a threat model is a structured approach to identifying, assessing, and addressing the threats specific to your organization's assets, operations, and overall objectives. It's not a one-size-fits-all checklist but a tailored framework that reflects your unique vulnerabilities, adversary capabilities, and potential impact of attacks. By understanding what you're up against, you can prioritize your defenses against the most significant risks, ensuring that your cybersecurity resources are allocated where they're needed most.

Strategic Allocation: Optimize for Effectiveness

A fundamental principle in effective cybersecurity management is the ongoing assessment of the effectiveness of security controls. These controls, crucial in safeguarding an organization's digital assets, can often have unintended impacts on other security principles. For example, measures that enhance confidentiality, such as stringent access controls, might inadvertently reduce system availability, impacting user experience and productivity. Moreover, security controls that were cutting-edge and effective years ago may no longer provide adequate protection against current threats due to advancements in attack techniques and technologies. This obsolescence underscores the necessity of not only implementing but regularly reviewing and updating security controls to ensure they remain effective without compromising other critical aspects of security, such as availability and integrity. Without such periodic reassessments, organizations risk employing outdated or misaligned controls that do more harm than good, leaving critical assets vulnerable and potentially impacting business operations.

With endless vendors calling every day to offer the latest AI-powered advanced system to solve all your problems, the temptation to equate more spending and more tools with better security can lead organizations down a costly and ineffective path. Successful organizations can apply their organizational threat models and apply the foundational concepts to address their most impactful security concerns, advocating for a focused allocation of resources on measures that directly address identified risks. For large enterprises, where the scale and complexity of digital operations amplify the stakes, this approach is not just prudent; it's essential. Large enterprises have thousands of systems and even more users, each representing a potential vulnerability that needs to be defended.  Organizations must defend every attack from every vector, attackers need only get lucky once.

By investing in high-quality, targeted cybersecurity measures, organizations can prioritize their defenses where it matters most, ensuring that every dollar spent enhances their security posture against the most critical threats.  Sometimes obsoleted controls should be removed as new controls are added.  The challenge, however, lies in discerning which investments will yield the highest quality outcomes. This requires a deep understanding of the organization's unique threat landscape, a task that goes beyond technological rules of practice to encompass the broader business context. For instance, a large electric utility might prioritize investments in securing its operational technology (OT) infrastructure, recognizing that a breach here could have dire consequences for public safety and national security. Conversely, a financial exchange facing high-speed, sophisticated market manipulation attempts would benefit more from advanced real-time monitoring and anomaly detection technologies. These strategic decisions underscore the importance of a nuanced approach to cybersecurity spending, one that aligns tightly with the specific risks and operational priorities of the organization.

Moreover, the focus on evaluating effectiveness in cybersecurity extends to the human element of security. Investing in employee training and awareness programs can significantly enhance an organization's security posture, often at a fraction of the cost of advanced technical solutions. A well-informed workforce can act as the first line of defense, adept at recognizing and mitigating potential threats before they escalate. Similarly, establishing a strong culture of security across the organization can reinforce the importance of cybersecurity measures, ensuring that security becomes a shared responsibility, not just a technical challenge for the IT department. By prioritizing these high-impact, cost-effective strategies, organizations can achieve a more robust and resilient cybersecurity posture, effectively turning the principle of "Quality Over Quantity" into a tangible competitive advantage.

The landscape is continuously changing, and what was efficient years ago may no longer be.  Effective programs need to continuously evaluate program effectiveness to verify they are meeting their objectives and doing so sustainably.  A large conglomerate deployed an AI-powered network solution expecting it to improve team effectiveness in managing their network. While this solution was highly reviewed and the most capable solution on the market in the category, after a year it was discovered that the overhead of management was higher, and there was no evidence that the solution was preventing any more attacks than the traditional static solution. 

Effective Cybersecurity Is Not Always Flashy

The allure of cutting-edge technologies can be nearly irresistible. In a world where new threats emerge by the minute, it's tempting to gravitate towards the latest, most talked-about solutions in the hope they'll be the silver bullet. Inventors, startups, marketers, and all manner of forces are trying to get your attention to buy their new thing.  This is largely because there is no money to be made in the old thing.  Similarly, many in security love to focus on advanced discussions on 0-days, novel malware injection techniques and the excitement to be had in running a red team. However, this fascination with the "sexy" side of cybersecurity should never distract from foundational practices that form the bedrock of any robust security posture. It's crucial to strike a balance, integrating innovative solutions where they add tangible value while maintaining a steadfast commitment to the essentials - employee training, documentation, regular updates, audits, and a security culture that permeates every level of the organization.

As one navigates the complex web of cybersecurity, it's essential to remember that the goal is not to eliminate risk altogether - an impossible feat - but to manage it intelligently and sustainably. This means taking a step back, assessing the real needs, and committing to a strategy that's both realistic and aligned with the unique threat landscape. The transformational objective is to shift the conversation from how much is being spent to how wisely those dollars are invested in cybersecurity efforts.  No matter how big or small a budget is, there will always be another tool, another analyst, or a new process that the business simply cannot accommodate.  Ensuring that initiatives are well-targeted and effective will free up more resources to continue to address the new threats that are evolving every day.

How Can We Be More Effective?

Understanding the critical balance between innovation and foundational security practices, the importance of a clearly understood threat model, and the necessity of regular effectiveness assessments are all pivotal in navigating the complex cybersecurity landscape. As you refine your approach to cybersecurity, these self-assessment questions can help confirm the alignment and effectiveness of your current security initiatives and guide your next steps:

• Is our cybersecurity strategy tailored to the specific threats we face, or are we following a generic model? How well do we understand our unique threat landscape?

• Have we identified and prioritized the assets most critical to our operations? Are our protection efforts aligned with the potential impact of different threats on these assets?

• Do we have a clearly documented cybersecurity strategy? If so, when was the last time it was thoroughly reviewed and updated?

• Are we confident in the effectiveness of our current cybersecurity spend? Is it transparent and aligned with our most pressing security needs?

• Have we established foundational principles and metrics to guide effective and efficient use of our cybersecurity resources going forward?

As you consider the above questions and generate conversation among your security teams and IT stakeholders, you may be challenged to provide answers that are aligned with the security objectives of your organization. At Windval, we understand that building a pragmatic, strong cybersecurity posture that mitigates risk and balances appropriate investments can be difficult. Our team of executive advisors and cybersecurity experts welcome the opportunity to learn more about your environment and continue the discussion.