A New Kind of Insanity: The Risk of Diminishing Returns in Cybersecurity
By Mike Allen
Posted On April 06, 2018
We’re starting to see a pattern to the way organizations respond to news of the latest cybersecurity breach. Typically, organizations first inject additional funding into security technology as quickly as possible after a breach is identified. Then, the new technology purchase is followed by a mad scramble to add qualified personnel to their internal security teams. Let’s face it, this reactive and largely unplanned approach simply isn’t working. In fact, the more band-aids thrown into the mix without proper thought and governance, the less secure organizations can become.
Many cybersecurity investments seem to be guided by knee-jerk reactions or responses to aggressive marketing, rather than a thoughtful approach to the problem. When this happens, organizations can end up with more technology than they can handle given their existing resources. They then try to cope with the added burden on IT by increasing budgets and hiring more people to run the solutions. Yet, despite increasing time and money investments, data breaches keep occurring. And those breaches are getting bigger, more sophisticated and, unfortunately, more damaging. Blame it on the law of diminishing returns: the more money, technology and people you throw at the problem, the more vulnerabilities you may risk exposing your organization to.
Why? The primary reason is complexity: adding security solutions on top of other solutions can create an unruly monster, and the age-old problem of silos starts to rear its ugly head. Different systems are dedicated to different functions, and don’t necessarily integrate information or communicate. Some are too multi-faceted and difficult to manage – and this creates security holes that additional investment was intended to prevent.
This is how some companies suffer a massive security breach even after investing heavily in security and technical expertise. So, what’s the answer to this ineffective approach of mitigating risks?
The solution requires a disciplined approach to cybersecurity through the implementation of a governance framework comprising three elements:
- Execute a data governance strategy to properly allocate resources.
- Where practical, utilize third-party cybersecurity management firms and their expertise to manage and monitor your security infrastructure and events.
- Follow a standardized governance model, such as the National Institute of Standards and Technology (NIST) cybersecurity framework.
Executing Data Governance
Proper governance is an essential first step in organizing a framework for achieving information security efficacy. A security governance framework will help you prioritize and classify your digital assets, and determine how much to spend on internal and external controls.
One of the benefits of a security governance framework is data management. Organizations must determine which information should be destroyed in the short term and which has to be archived. Businesses tend to hang on to data far longer than they should, potentially creating an internet treasure throve for hackers if they break into the network.
Typically, the bulk of emails that travel through a corporate network, as well as marketing materials, should be deleted after a few months. Otherwise, if hacked, bad actors can gain access to proprietary information including trade secrets, business negotiation details and other communications intended only for internal audiences.
Data subject to regulatory compliance, including finance, HR and medical records, should be properly organized, encrypted and archived. Depending on the applicable regulation, after a certain number of years that data also can be destroyed. Proper data governance enables organizations to plan for these various approaches to data, which can prevent a lot of headaches.
A security governance framework can also highlight which security controls are best handled by third-parties. In light of the diminishing returns on cybersecurity investments, organizations should consider outsourcing security management to third-party experts when they don’t possess the right in-house resources. Just as you would contract a security company to patrol physical properties, it makes sense to do so with cybersecurity.
There’s a reason companies continue to turn to managed security service providers: it can be one of the most practical ways to get the best protection you can buy, so long as you perform due diligence on available providers. This explains why Gartner predicts the cloud-based security market will grow to $9 billion in 2020 from the current estimated $5.9 billion.
Security is often too complicated and expensive to keep in-house. Hiring skilled professionals individually is getting tougher and tougher; by 2022 a 1.8 million shortage of cybersecurity workers is expected. Outsourcing security solves these issues as you leverage the expertise and proven technology of a security specialist.
Following National Institute of Standards and Technology (NIST) Standards
Lastly, organizations that are both experienced and new to security governance frameworks should check out NIST’s cybersecurity framework. This framework is designed to help businesses and organizations of all types build and manage their own security frameworks. A couple of the things I like most about the cybersecurity framework are: 1) it is written in plain English (as opposed technical cyber-speak), so it’s straightforward for just about anyone to understand and follow and 2) all the materials are free to access.
Decision makers responsible for cybersecurity should consider that continuing to invest in more technology and more personnel without a well-defined cybersecurity governance framework may very well be an effort in futility.
Instead, most enterprises should refocus their cybersecurity investments by implementing proper data governance, and relying more on the expertise of vetted third-party cybersecurity firms. In short, it’s time to start taking a smarter approach to security.
Author: Chris Richter
I am responsible for CenturyLink's managed and professional security services business. When I’m not thinking about mitigating cybercrime, I spend as much time as possible skiing, biking, and hiking in the nearby Rockies.
By Chris Richter We’re starting to see a pattern to the way organizations respond to news of the latest cybersecurity breach. Typically, organizations first inject additional funding into security technology as quickly as possible after a breach is identified. Then, the new technology purchase is followed by a mad scramble ...