After attending the RSA Conference, many in the cybersecurity industry are wondering if all the money invested in the show floor actually leads to better risk management and risk reduction. The answer is not as straightforward as one might hope. In an effort to continue the conversation about cyber-essentialism and doing less with less, let’s explore ways to ensure that functional value is being provided to organizations.
One common problem is that companies tend to install a plethora of security products, using some with great success and leaving others to just take up space. The solution is to take a page out of SpaceX’s book and optimize processes by removing unnecessary steps. Does the company really need a network monitoring solution for its offices when it’s moving to the cloud? Is there really a need for 20 agents running on each Windows machine? Sometimes, the need for a product may be zero, and it’s okay to decide to no longer spend hard-fought security dollars on something when there’s a more effective solution available.
It’s also important for cybersecurity professionals to have confidence in their defense mechanisms. There should be processes in place to detect and correct any occurrences of “instrumentation failure,” where tooling, data, or intelligence may be incorrect. Conducting validation and red-team testing ensures that detection, blocking, and eradication of cyber threats can be managed.
Additionally, quantifying value or risk is challenging but essential. To provide maximum value to the organization, cybersecurity professionals should assess the impact of tools in specific areas, including how well they harden the environment, the importance of what they protect, the rate of detection and response acceleration, and whether they’re building in default ways of being more secure without employees changing workflows. Once all products have been ranked based on impact, focus on the ones that have the greatest effect.
Finally, cybersecurity must become a driver of value. A collaborative approach to allocating resources is necessary, as it ensures that tools are regularly reviewed and that buy-in and alignment from the C-suite is achieved. Money spent on security shouldn’t be a marker of a company’s security posture strength. Instead, funds should be spent on solutions that are tailored to the company’s needs to promote sustained growth.
In conclusion, doing less with less in cybersecurity requires a methodical approach to allocating resources. Austerity measures must be taken, and unnecessary steps or tools must be removed. Confidence in defense mechanisms must be established, and the business must be made to care about cybersecurity. Cybersecurity should be viewed as a driver of value, and money should be spent on practical solutions to promote sustained organizational growth.