6 Security Investments You May Be Wasting
Not all tools and services provide the same value. Some relatively low-cost practices have a major payoff while some of the most expensive tools make little difference.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt8e1aa4418b525076/64f0d73395b38f5fdd6bd8e7/SecurityCost-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Security budgets are growing and so are security costs, with drivers coming from all sides: data breaches that are more frequent and more expensive to remediate; preventative technologies that are costly to buy and maintain; and talent that remains both pricey and hard to find.
On a positive note, businesses today are better at understanding risks and allocating more of their attention and IT budgets (23%) to cybersecurity. Enterprises, as reported in new Kaspersky LabĀ research, believe their security budgets will grow by 15% over the next three years, as do businesses with less than 50 employees. SMBs are about the same, anticipating 14% growth in security spend by 2021, according to Kaspersky Lab.
But despite larger budgets, security teams still struggle to make ends meet. Increasingly advanced tools are expensive to buy and, oftentimes, more expensive to run. Enterprise victims allocate most ($193,000, on average) of their post-breach spending toward improving software and infrastructure, and SMBs hit with breaches spend $15,000 on the same expense, according to Kaspersky.
Maintaining advanced technology is also a challenge due to the growth of complex infrastructure and lack of both organizational and technical ability to manage it. More than one-third (34%) of organizations say the intricacy of IT systems is driving investments; the same amount say improving security expertise is a motivation to spend, according to Kaspersky.
The reason: many security technologies simply aren't worth their cost without the right resources to implement and run them, observes Tom Parker, group technology officer at Accenture Security. Oftentimes what Parker describes as "comfort purchasing" makes companies feel good about the money they spend on new technology and lures them into feeling confident they're making the right moves.
"The biggest concern I have, honestly, is ... [about the] false sense of security organizations often get by buying technology and not having a well-considered view of how that technology is performing in their environment," Parker adds.
Here, experts point to security technologies and processes that require more investment to be worth their cost. Not all tools and services provide the same value. Some relatively low-cost practices can have a major payoff; some of the most expensive tools make little difference.
Are there any components to your security strategy you felt haven't been worth their high cost? Feel free to add to the conversation in the comments.
Every organization should have a security information and event management (SIEM) system, says Parker, whether you use a managed service or run everything in-house. The most important part in maximizing the value of a SIEM system is developing the necessary custom content. "The value of the data going into there is key," he adds.
Your environment will be unique from all other environments using the same SIEM tool, Parker explains. While buying a SIEM is a good first step, the return on your investment will only be recognized if you architect it well and create the right content for it. This means having a strong architect or team to develop custom content and gain visibility into endpoints and cloud environments. Many companies deploy a SIEM and have limited visibility because they only look at endpoint detection or firewall logs, says Parker. As a result, the value they gain is disproportionate to the amount spent on their system.
John Pironti, president at IP Architects, also points to the importance of keeping the SIEM updated with relevant content to maximize value. "The problem with SIEM is SIEM gets stale," he explains. If you want to get the most out of your SIEM, you need to stay attuned to business logic, evolving activity, and changes in operational models, programs, and applications. Adversaries are changing tactics, and security teams need to stay updated with their monitoring and SIEM systems to be aware of threats on the horizon.
Data loss prevention (DLP) and network analytics tools are not as implemented as widely as they should be, says Parker. An attacker only has to be right once; defenders have to be right all the time. If you have 20 different Internet gateways and only have monitoring devices on 15 of them, an attacker will still be able to exfiltrate data or bring malware and exploits into your environment.
This is especially relevant to large companies with complex networks and several gateways, he continues, noting that, oftentimes, DLP tools aren't deployed comprehensively because the organization lacks funding and talent. Many clients are catching onto this and adjusting their strategies accordingly. According to Parker, one CIO he knows halted security spending until the business saw a return on investment for the tools and systems they already purchased.
Parker encourages executive leaders approving budgets to have a rigorous methodology for maximizing the ROI for their security spend. The process should measure how widely solutions are being deployed and record metrics around how the tech has increased resiliency across the enterprise, he says.
Many businesses have made initial investments in endpoint detection and response (EDR) tools but lack the experts to properly manage them, driving their value down. The security skill shortage is driving salaries and increased costs for client organizations, says Parker.
"It's very easy to go buy an EDR," he says. "It's not so easy to hire a team of experts that know how to use EDR, how to implement it and manage it, and fully use that technology." This is why when companies sell EDR, they often sell a managed EDR service on top of it, he points out.
At the lowest level, an expense of running EDR is the skill of knowing the technology - having knowledge of the product and how it works. On top of that, assuming the tool has been implemented correctly, businesses also need a team of people who can manage the output of that tool and effectively respond to incidents. Without these skills, you're hardly maximizing the value of the EDR, according to Parker.
"You should be considering your ability as an organization to retain the right skills to make that investment effective and ultimately get the ROI for the money you're spending," he says.
Identity and access management (IAM) is "very process oriented, it's not very tech-oriented," says Pironti. "It often falls by the wayside if it's not properly monitored."
IAM is an issue all businesses must contend with, especially with the growing number of devices in their environments, and applications used by employees. However, IAM is also a process and the biggest challenge is staying on top of transfers and changes, Pironti explains. If you don't properly manage these, you don't maximize the effectiveness of IAM and you put your enterprise users and data at risk.
Identity and access management (IAM) is "very process oriented, it's not very tech-oriented," says Pironti. "It often falls by the wayside if it's not properly monitored."
IAM is an issue all businesses must contend with, especially with the growing number of devices in their environments, and applications used by employees. However, IAM is also a process and the biggest challenge is staying on top of transfers and changes, Pironti explains. If you don't properly manage these, you don't maximize the effectiveness of IAM and you put your enterprise users and data at risk.
Security budgets are growing and so are security costs, with drivers coming from all sides: data breaches that are more frequent and more expensive to remediate; preventative technologies that are costly to buy and maintain; and talent that remains both pricey and hard to find.
On a positive note, businesses today are better at understanding risks and allocating more of their attention and IT budgets (23%) to cybersecurity. Enterprises, as reported in new Kaspersky LabĀ research, believe their security budgets will grow by 15% over the next three years, as do businesses with less than 50 employees. SMBs are about the same, anticipating 14% growth in security spend by 2021, according to Kaspersky Lab.
But despite larger budgets, security teams still struggle to make ends meet. Increasingly advanced tools are expensive to buy and, oftentimes, more expensive to run. Enterprise victims allocate most ($193,000, on average) of their post-breach spending toward improving software and infrastructure, and SMBs hit with breaches spend $15,000 on the same expense, according to Kaspersky.
Maintaining advanced technology is also a challenge due to the growth of complex infrastructure and lack of both organizational and technical ability to manage it. More than one-third (34%) of organizations say the intricacy of IT systems is driving investments; the same amount say improving security expertise is a motivation to spend, according to Kaspersky.
The reason: many security technologies simply aren't worth their cost without the right resources to implement and run them, observes Tom Parker, group technology officer at Accenture Security. Oftentimes what Parker describes as "comfort purchasing" makes companies feel good about the money they spend on new technology and lures them into feeling confident they're making the right moves.
"The biggest concern I have, honestly, is ... [about the] false sense of security organizations often get by buying technology and not having a well-considered view of how that technology is performing in their environment," Parker adds.
Here, experts point to security technologies and processes that require more investment to be worth their cost. Not all tools and services provide the same value. Some relatively low-cost practices can have a major payoff; some of the most expensive tools make little difference.
Are there any components to your security strategy you felt haven't been worth their high cost? Feel free to add to the conversation in the comments.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024