Enterprises misaligning security budget, priorities
Imagine paying for a small lock on your house every year. Burglars continue to break in despite what you think is a strong security deterrent. You spend the same amount every year on this inadequate security despite the different products on the market that promise to protect your home better.
This is what some security experts believe enterprises are doing on a larger scale. Those on staff who are doing the budgeting might blindly write the same amount into the security line every year. Or the C-suite might handcuff the security personnel with a tight budget that doesn’t allow for expansion into new security products.
Mike D. Kail, Chief Innovation Officer at Cybric, said the topic of increasing cybersecurity budgets seems to be in the news every day, but unfortunately there also seems to be a large-scale breach to match that. “Tactical purchasing of point-solution tools is not helping, and CIOs/CISOs need to start investing in strategic platforms and frameworks."
451 Research found a misalignment between current threats and the appropriate defenses needed to truly protect an organization’s assets from compromise. To the extent that security spending continues to increase each year, a defensible argument could be made that, at worst, much of that money is being wasted or, at best, not adequaetly allocated.
“Simply put, as our corporate boundaries become increasingly porous and our resources are on the move, traditional endpoint and network security approaches are no longer sufficient in and of themselves,” 451 writes in its report.
Dan Burke, vice president at Globalscape, said the issue is a version of “if it ain’t broke, don’t fix it,” but the problem is that too many organizations don’t know that their security is vulnerable. They may have even been breached, but simply don’t know it yet.
The threat environment is sophisticated and constantly changing, requiring that companies constantly adjust the layers of their security architecture based on new and evolving threat vectors and actors, Burke said. Companies may still be relying on traditional firewalls even as more employees and systems go mobile or as workloads move to the cloud; running antivirus with the belief that it will stop sophisticated attacks or phishing.
“Then there’s the risk in trying to squeeze a few more miles out of obsolete tech, like an unsupported OS or unpatched applications,” he said.
Nir Polak, CEO and co-founder of Exabeam, said, "We have not seen a period where security teams are as hamstrung by legacy costs as they are today. This is primarily because effective analytics requires data capture, and all of the leading solutions for data collection and search are priced based on the amount of data collected. This didn’t matter so much 10 years ago, but as the volume of generated security has grown, data management costs have overrun security budgets."
Javvad Malik, security advocate at AlienVault, said enterprises are often poor at removing security products that are no longer needed. Although, given the number of legacy systems in use, it's a problem that extends beyond security.
“Shelfware is a problem in security,” he said, referencing research he presented at RSA a few years ago.
“It showed that many enterprises purchase security products but then never actually properly implement them and leave them on the shelf. Many times, blinded by shiny new products, enterprises can overlook the capabilities already present within the products they have. So rather than buying another tool, it's better to trim and streamline the existing portfolio.”
Mike Eisenberg, vice president of CISO Services at Optiv Security, concurs. “We definitely see organizations that have bought a product, say, six months ago, and it hasn't even been taken out of the box. Or, if the product has been implemented, it's not being used properly. And, even if it is being used properly, the organization is not tracking its effectiveness. This leads to products becoming outdated or just plain ineffective. You can see where resources are being wasted and how security programs suffer.”
Research from 451’s Voice of the Enterprise survey on cloud computing shows that the security tools that are most important in the ‘old world’ — firewalls, anti-malware, etc. — are less relevant in the cloud.
Sam Curry, chief product officer at Cybereason, says security is like the growth of a coral reef over time with new growth happening on the calcification of older coral. The whole pushes out over time with the volume growing. “Here’s how a typical CISO plans a budget: someone from the CFO’s office says 'time to do your budget for next year, so I took your spend from this year and moved it forward ... and you have to cut x percent' and then the negotiations start.”
Security products have technical debt to address, he said, and have to add new “enterprise features” and facilitate what he calls “security hygiene” more and more (like aiding audit policies, supporting new platforms, checking for security policies on authentication attempts or logging and so on). “Meanwhile, the bad guy is adapting and finding ways around this. The net result is that the older security products aren’t innovating and tend to become more security hygiene focused and part of the legacy, statutory spend,” he said.
The newest tools are those that are at the cutting edge of stopping bad guys. The struggle for the CISO is to free up discretionary money to make some bets on these high-risk tools.
“The best CISOs are the ones that put pressure on the low-value, high-cost incumbents to make a few bets on new, cutting edge, less mature offerings that can actually stop bad guys,” Curry said. “Commodities should experience tremendous price pressure, so ignore brand, ignore hype, ignore the footprint they have in your IT environment and put them through the grinder to make the spend proportional to the value and make more bets on the new, young, colorful coral growth in the security game.”
Richard Henderson, global security strategist at Absolute, said security spending decisions aren’t always clear cut. "While in some rare highly-publicized exceptions in high finance, where security staff have been told they have a virtual blank check for security tools, enterprise security teams have limited budgets and have to pick and choose how their dollars are being spent.”
"The real question that CSOs and CISOs need to answer is how effectively the budgets they have are being spent. Would the hundreds of thousands of dollars they spent on a best-of-breed tool have been better spent on another tool from another vendor that may not have scored quite so high on Gartner’s Magic Quadrant, but integrates much better and easier with their current security infrastructure? How much extra cash is it going to take to get an existing team up to speed on deploying, monitoring, tweaking, and tuning the new shiny tool? What’s going to deliver better long term return on investment?" he said.
Yitzhak (Itzik) Vager, vice president of Product Management and Business Development at Verint Systems, said many companies tend to spend too much time and resources on selecting best-of-breed point tools, without taking into account how they fit in and work within their existing security infrastructure.
“Fighting today’s sophisticated threats requires a holistic approach. Companies are better served if they invest in a unified platform integrating multiple tools to provide complete visibility across the threat chain. Even better, the platform will be completely automated, more quickly detecting, investigating, and halting most attacks, allowing cyberanalysts to focus on stopping more complex attacks,” Vager said.
Simon Taylor, vice president of products at Glasswall, said the larger corporations are caught in a cycle of security spending that they can't break.
“Despite the industry’s own admission that they cannot prevent a zero-day attack and that the cyber criminals are always one step ahead, no one wants to be the C-level executive that turns off the current failing border security. In fact, the trend has been to add ‘more bricks in the wall,’ or layers of security in the hope that at least one of the products can prevent a targeted attack,” he said.The trend has been to add ‘more bricks in the wall,’ or layers of security in the hope that at least one of the products can prevent a targeted attack.
Simon Taylor, vice president of products at Glasswall
While there is complacency in some sectors at the board level, Taylor said, change is coming in the EU with the impending General Data Protection Regulations taking effect in 2018 and the recent announcement of tighter cybersecurity regulations affecting the financial sector in New York State. “If the businesses don’t get their act together fast enough, regulators on both sides of the Atlantic will be forcing the issue,” he said.
Markus Jakobsson, chief scientist at Agari, said there are several reasons why enterprises are not updating their security technologies at a fast enough rate. There is a lack of prioritization and awareness across the C-suite about today’s security risks and the technologies needed to address them. Updating a company’s technology is a big process and financial investment, so all company executives need to be on board and champion these initiatives from the outset.
“There is also a lot of reluctance from enterprises with changing their security technologies because their strategies are negatively reinforced. If a company has never suffered a breach, their technology must be working, right? Why change it?” he said. “This type of attitude is extremely dangerous given today’s rapidly evolving threat landscape. It’s not a matter of if, but when, a company will suffer an attack.”
Ajit Sancheti, CEO and co-founder of Preempt, said "If you assume that most enterprises have been breached, then security strategies have to include spending on software that can identify threats on the internal enterprise network. Many security professionals believe they can identify and prevent these threats at the perimeter and are focusing their budget there. That strategy is flawed. One breach can negate all of that spending."
Jason Macy, CTO of Forum Systems, said too many enterprise organizations are committed to a legacy posture and an umbrella approach to cybersecurity. “Threat vectors have completely evolved and today’s defenses require both perimeter and internal security. While traditional solutions are a component of an overall cybersecurity strategy, a reliance solely on legacy technology puts organizations, customers and partners at substantial risk,” he said.
If a technology — such as antivirus, firewall, IDS, SIEM, access control, vulnerability scanner — hasn’t changed in a decade, what chance does it have to actually stop a modern threat, Curry asks. And at what point does carrying the massive weight of the security hygiene products actually create too much noise, distraction, blind spots and false security?
Has cloud changed the security spending landscape?
While the experts CSO Online consulted mainly agree that the traditional enterprise network needs to be maintained, there is also the move toward spending on the cloud and services. In many cases IT staffs must try to bridge the old and new.
The IDC survey “Security Survey Analysis: Growing Interest in Data Security, Endpoint Security, and Network Security Products” looks at the conundrum facing security pros.
"It’s not that the security buyer is stuck in the past; it’s that they are forced to maintain existing architecture while developing a security story for the future. Given that budgets aren't growing lock-step with digital transformation, it’s an unenviable task to find ways of securing new architecture and service delivery models," said Sean Pike, Program Vice President, Security Products and eDiscovery Information Governance at research firm IDC.
John Morello, CTO at Twistlock, agrees that the cloud and Devops are changing enterprises’ operational approaches and technical architectures, but many organizations haven’t adapted their security spend to align with these trends. Instead, many organizations are locked into multi-year support agreements for perimeter firewalls and traditional desktop anti-virus that are largely irrelevant in a world where apps and data mostly exist outside the network.
Rohit Sethi, COO of Security Compass, thinks the bigger story around misaligned budgeting is that companies are allocating 4 percent of their budget to application security but security of their software — including that built by third-party vendors — is one of the largest risks according to the Verizon Breach report. “Broad information security framework and compliance standards pay scant attention to application security which may be, in part, driving this budget allocation.”
Paul Querna, CTO and co-founder, ScaleFT, said security budgets have traditionally focused on protecting the perimeter, however the rise of cloud computing and the mobile workforce have broken down those walls. Companies that have recognized this have begun their own security transformation, redesigning their architecture from the inside out. This means that the spend will shift away from traditional products such as VPNs and firewalls to more cloud native solutions.
Not surprisingly, when vendors were asked what security technologies that were being underspent, they quite often cited the market their product lies in.
Todd Feinman, CEO at Spirion, said many budgets still have at least a small component of expense associated with security solutions indicative of older and outdated security methodologies. One example is traditional Data Loss Prevention (DLP) intended for data-in-motion network blocking.
“This approach is very focused on the perimeter and has not stopped data leaks consistently because it does not solve the root cause of the data loss problem – which is workstations and servers storing at-risk sensitive data. This traditional DLP approach is also error prone because it trades off accuracy in the form of false positives to achieve necessary perimeter data scanning speed,” he said.
Newer approaches emphasize using technology to discover where sensitive data lives – data that, if leaked, would cause reputation and/or financial damage. Sensitive data discovery solutions can also be complemented by automated classification solutions to tag data so it persistently identifies itself as confidential. Leveraging the discovery results ensures accurate classification without human involvement. Newer content management and endpoint protection solutions can then block confidential classified data with extremely high precision and help employees and organizations understand, control and protect their data better.
Ron Winward, security evangelist at Radware, said organizations feel that protecting data-at-rest is the most effective way to prevent a breach, yet it’s what they spend the least amount of money on. But are organizations really forsaking data-at-rest protection when they spend on network and endpoint solutions? Not exactly, he said.
Breaching an endpoint is a perfect way into a network, where once you’re in, your activity is masked to look like it’s coming from what are usually trusted IP addresses, he said. Endpoint security continues to be a critical part of protection strategies.
Network-based protection is also critical, but what has changed over the years is the level of protection that you can get, he said. First, anything at a perimeter that can dynamically track behaviors — including encrypted sessions like SSL/TLS — is a critical aspect of protection, especially as the majority of internet traffic moves to encryption. But these devices are also starting to include data and other multi-threat protections in them — even at the border.
There is also a tremendous amount of end-of-sale/end-of-life security equipment in the field, which organizations are refreshing now. The difference, though, is that many of the new devices going in, like Next Generation Firewalls (NGF), would be classified as “network” devices, but are also capable of doing other services. Another obvious place to protect data-at-rest is with a Web Application Firewall (WAF) that can be placed in front of public-facing servers (or via cloud) and dynamically watch for misbehavior that can lead to breaches.
“When you break it down, there are many data-at-rest protections built into devices that might be classified as network or endpoint solutions. And buyers are concentrating spend here because they’re getting more for their dollar,” Winward said. “As organizations decide where they spend their budget, network devices like perimeter protection and/or WAF could still be the best solution because of those advancements. But the key is that the solution needs to be behavioral in order to properly protect them. Attackers are creative and the only way to stay ahead of changing threats is with behavioral, algorithmic responses.”
Layering more and more of the same type of products at the gateway does not incrementally increase the level of protection simply because traditional security products operate much the same way, eventually causing the costs to outweigh the returns on investment, Taylor said.
He continued that many corporations believe that the only alternative to traditional antivirus is sandbox technology, which can be expensive, resource hungry and difficult to manage in terms of threat reporting, as well as easily compromised.
“If border and desktop protection is failing, what’s the alternative? Cyber threats are not going to go away, we are dealing with a new frontier that is agile, well-funded, highly skilled, and for all intents and purposes, ‘only has to get it right once’ to compromise an enterprise,” Taylor said.
Rich Campagna, vice president of product at Bitglass, said, Mobile Device Management (MDM) is one area where companies are spending on outdated security solutions. Current MDM tools are a good fit for managed devices, but changes in employee behavior and the move to cloud apps has led to a popularity of bring your own device (BYOD) programs. Control-oriented MDM tools have limited applicability for BYOD, primarily due to employee privacy concerns and complexity of deployment.
John Michelsen, CPO at Zimperium agrees that a focus needs to be placed on mobile. "Mobile is a clear area of vulnerability and yet many companies don't budget appropriately for mobile security until they are exposed to the reality of the threat.”
He said there is still a misconception that MDM will stop a hacker when it stops your own employees, not bad guys.
“Many of our customers have started by deploying zIPS [Zimperium's mobile intrusion prevention system app] into a pilot group to gather data on how vulnerable, at risk they really are. Once the lights are turned on and they see the reality, they quickly find budget and deploy to the rest of their devices,” he said.
Compliance is to blame
Security budgets are often closely tied to compliance and risk analysis that place too much emphasis on outdated sets of controls, said Jason Luce, CEO and co-founder, ScaleFT. “We know this because every week we read about another major incident in the news where it was likely that rubber stamp compliance was in place. IT departments within these companies who are actually responsible for implementing security measures are well aware that the world has changed around them, but are stuck checking off compliance boxes.”
Malik notes four approaches to security spending:
- Benchmark-driven (i.e., what is everyone else doing?)
“There is no right or wrong security product investment strategy. However, companies should identify the risk they can believe in, then find the evidence that they are addressing those risks, ideally with a security platform that can address a multitude of risks in one offering, as opposed to investing in a separate point solution to address each individual risk,” Malik said.
Kris Lovejoy, CEO at BluVector, said there is a shift away from data-at-rest solutions because the market is fragmented. CISOs are tired of buying “silver bullets” that not only don’t work as advertised, but completely “disable” business innovation. Anyone who has been on the other end of the “innovation vs. security” discussion knows who wins. This, combined with reality that “compliance” is no longer an excuse on which you can write a business case, means data security has become decidedly unsexy, she said.
With compliance also comes a call from the boardroom to follow standards and stay within budget. Taylor said business leaders need to accelerate the process of addressing cyber risk in the boardroom while applying proper management procedures as to how they will manage risk going forward. Among other things, this will involve setting a ‘new baseline’ for defense.
“They will need to fill the gaps in security at a new level, not more of the same layered security at the border, including ensuring the security of documents, which are the lifeblood of a company and the biggest threat vector for malware, particularly ransomware threats,” he said.
ThreatConnect CEO Adam Vincent said one culprit of this issue is the lack of communication, or fragmentation, between cybersecurity tools. While it can take mere minutes for an adversary to compromise a network, it can take an organization days, weeks, or more to detect it due to security tools not accurately and efficiently communicating.
"To reduce fragmentation and close the detection gap, companies need to focus their security investments into uniting people, processes and technologies in one place. Intelligence-driven cybersecurity platforms make this possible by eliminating silos, while also ensuring that threat intelligence information is shared efficiently between tools and teams to improve response times and even predict attacks.”
What you should do
It is not necessarily about buying one type of tool vs. another, but more about making sure that all tools serve the purpose of reducing risk, and that they are comprehensively implemented across the organization, said Mike Donaldson, solutions specialist at Bay Dynamics.
“Oftentimes, tools are selected for technical prowess, but without an eye towards how they fit together in the ecosystem to protect the business. Similarly, even tools purchased with the best of intentions, are left only partially implemented because of organizational changes, technical or political hurdles, or good old inertia,” he said.
There is not a “one size fits all” recommendation for the effectiveness of existing security tools and controls, what tools should be implemented next, or what controls can have exceptions. Therefore, purchasing decisions must be made based on the relationship of business objectives and security posture, what assets have the highest business criticality and value, and what mitigation is needed to make sure those assets are not compromised in light of existing threats and vulnerabilities.
He adds that companies should focus on ensuring that their current security tools are maximized for value and effectiveness. Often security tools sit in siloes, each one producing various outputs that separately paint a very different picture of residual risk and security posture across individual assets as well as across various business units. This makes it very difficult for security teams to quantify risk and prioritize alerts, incidents and findings. Companies need to bring together their security tools and translate the information coming from them into one picture that explains their most significant risks and actions to take that reduce that risk exposure.
“Ultimately, all the fundamental security tools are needed. However, what’s most important is to leverage a risk-based approach against business objectives to determine what order to implement the tools, what level of protection is necessary by asset criticality and value, and then taking measures to normalize the information outputs of disjointed tools and group them by specific risks so that a centralized and comprehensive view of cyber security posture is available and real time residual risk can be tracked and managed,” he said.
Eisenberg stressed the importance of endpoint security. “Security doesn't begin and end at the office. It doesn't matter if you have the best network security systems and practices in place if that laptop or smartphone is taken home or on the road and has potential for compromise.”
He advises organizations to spend more on advanced malware protection, with a heavy focus on cloud security, third-party risk management, endpoint security, and identity and access management. A holistic solution — from program to product to implementation and beyond — is the key to a better security program.
Enterprises should be focused on maintaining and keeping up with the current core infrastructure as their priority, said Chris Camacho, chief strategy officer at Flashpoint. Companies should start with networking equipment and ensure no products are end-of-life or no longer supported. If this is the case, then replacement of these devices should be prioritized and the devices should not be used. After ensuring core network equipment is covered under maintenance, pay the vendor the money required to get the license and support updated and apply all patches and upgrades.
After taking network inventory do an architectural assessment on what you currently own. Is it time to look at next-generation firewalls? Do a cost analysis on current devices and spend and determine if managing a single vendor that provides multiple defense-in-depth services would save money in the long run, he said.
451 says look for data security tool sets that offer services-based deployments, platforms and automation that reduce usage and deployment complexity for an additional layer of protection for data.
Most companies don’t really understand how hackers operate and haven’t quantified their risks or how secure they are, said Guy Bejerano, co-founder and CEO of SafeBreach. “As a result, they keep buying new security products that they believe will protect them from advanced threats. In fact, some financial organizations have a 'no vendor left behind' policy where they select multiple vendors providing the same security technology, presumably to increase the odds of success.”
Instead of a “product-centric” security strategy, what organizations need is an “adversary-centric” strategy, he said. By understanding the hacker’s perspective, motivations and techniques you can continuously validate whether the security controls in place can actually stand up to the most likely breach scenarios.
David Baker, vice president of operations at Bugcrowd, believes the best defense is a good offense. "Spending money on an offensive testing strategy is a more efficient strategy from a budget and resource perspective. Organizations should consider starting at the front lines, training staff on appropriate security behavior and even doing some active social engineering testing. Moreover, organizations can train and test technical teams — engineers, developers, and IT — on good platform and configuration security behaviors through continuous proactive testing of applications and systems."
Jakobsson feels as though one area that can be shored up is email. He said email is the primary channel for 95 percent of cyberattacks. Yet, while many companies have correctly identified targeted email attacks as their primary concern, they are still relying on traditional security technologies such as spam filters, which neither detect nor prevent these types of email attacks.
“As a result, these companies are spending time and money on employee awareness training, which is rarely effective and even reduces business productivity, as employees are expected to analyze every one of the hundreds of emails they receive every day. Instead, these companies should be recognizing that their primary protection technology does not address their primary concern very well,” he said.
He said it’s essential that companies prioritize threats on a sliding risk scale and adopt, and potentially swap out, technologies according to their budgets. “Today, however, companies aren’t doing this. For example, many companies do not correctly take loss and risk into consideration,” he said.
Henderson doesn’t think companies are spending nearly enough on advanced training on their security staff. “Empowering your security teams to learn to use the tools they’ve already deployed at an expert level can improve your overall time to detect and remediate an issue, and build better job satisfaction and loyalty. It’s no surprise to anyone that good staff are hard to find and even harder to replace, so if you don’t have a set amount of cash set aside in your budget to keep those people happy… they’re going to look for greener pastures elsewhere. This is the reality in today’s cyber security job market."