Cybersecurity After Dark | Episode 3
In Episode 3 of Cybersecurity After Dark, Sean, and Dan tackled a philosophical question from a cybersecurity professional named Guru (no pun intended) on how to know if you have the right cybersecurity solution. Apparently, according to Guru, nobody has the right solution; because if they did, there would be no breaches. 🤯
Sean and Dan conceded it’s impossible to prevent every single breach. But buyers and vendors can improve the odds by changing current standards in cybersecurity tech acquisition models. Check out their 4 takeaways below.
A better model for acquiring cybersecurity solutions
How can a company know if they have chosen the right cybersecurity solution? That’s the million-dollar question posed by Guru (aka Gurubaran) in the article “Why Businesses Need a New Cybersecurity Tech Acquisition Model.” The obvious metric is “all devices or networks are free from any security breaches.” But even huge, well-funded, technically sophisticated companies have had breaches.
While there are best practices for acquiring cybersecurity solutions, there is no quantitative, objective approach to examine the efficacy of a system. Most companies are left to scour the equivalent of “Yelp for IT” reviews, like TrustRadius, to get some sense of what works and what doesn’t. There are other issues as well: underused cybersecurity features, buying technologies without thorough internal evaluations of the existing system, etc. It’s high time for a new cybersecurity acquisition model!
Cybersecurity tech acquisition has become a “market for lemons”
While there are many innovative solutions, there are also many gimmicky, ineffective features and functions out there. According to the Debate Security report, most cybersecurity professionals are unable to differentiate between “good” or “bad” cybersecurity solutions. An alarming majority of organizations have little confidence in the effectiveness of the solutions they purchase. “We buy it, and then we cross our fingers and hope the technology will work,” said one CISO in the study.
The low trust and confidence in cybersecurity solutions is not surprising given the volume of breaches making national headlines. Obviously, cybersecurity leaders are ready for and need a new cybersecurity acquisition model. The answer lies in knowing what’s inside of your stack and making a decision based on what will work best for your enterprise.
An economics problem, not a technology deficit
Guru holds that the problem with the current cybersecurity tech acquisition model is not with technology, it’s economics. Security firms and organizations ceaselessly develop new ways to address cyber threats and attacks. But vendors focus on peddling a product instead of a real solution to customers. Buyers become too focused on compliance while vendors try to cash in as much as possible in the ever-growing cybersecurity market demand.
This needs to stop.
Creating a new cybersecurity tech acquisition model
According to the Debate Security report, creating a new cybersecurity acquisition model means changing the dynamics between buyers and vendors. Technology offerings, product promotions, and stakeholder perspectives all should come into play during deliberation on potential cybersecurity technologies. Furthermore, the new model needs to focus on the following benefits:
- Greater cybersecurity effectiveness: Many businesses don’t fully understand their security risks and vulnerabilities. This piece is probably the most critical to guiding decisions on cybersecurity investments that serve the business’s interests and bottom line.
- Meaningful technology evaluations: Establish common standards on what makes a product effective and optimized for specific use cases.
- Improved ability to set risk appetite: No company has an endless budget, so companies always set “risk appetite” or “what can we afford not to do.” This goes hand-in-hand with knowing what’s in your stack and guides smart security decisions.
- More informed security prioritization and differentiation: Vendors have to be transparent about the capabilities, capacities, and coverage of their security offerings. Not only does this help buyers make informed decisions, it also creates trust and customer loyalty.
- Correlation between security spending and efficacy: If buyers and vendors are transparent with each other, the dissonance in the cybersecurity market will tone down. Ultimately, buyers will spend on the right solutions and protection that correlate with needs and risk factors.
Sean and Dan’s 4 Takeaways
Why do we buy cybersecurity solutions? To stop breaches – but we have a rising breach landscape. Therefore, nobody has the “right solution.” This is a deeply philosophical, but true statement. So, Sean and Dan dug into the reasons behind this dilemma.
It’s not just about tool sprawl as much as tool churn. Due to the high rate of CISO and CSO turnover, organizations can go through several “new-fangled” tool implementations within a matter of a few months. The answer to the question, “Why are we using this?” is “Well, this worked at my last organization, so it will work here.” We bought these tools and we still had a breach. But maybe a better assertion is, “Are we implementing them correctly or to their full capacity?” “Do we need more training?”
2. Underutilized cybersecurity solutions
Cybersecurity solutions tend to be underutilized. According to Gartner, IT and operations tools are about 70-80 percent underutilized. It wouldn’t be a far-cry to assume that could be the case for cybersecurity solutions. Perhaps that is the heart of the problem. Companies don’t know how to measure the success of a security solution, if they have configured it correctly, implemented it to gain the most out of it, etc.
3. Breakdown silos between business and security teams
When it comes to understanding and quantifying vulnerabilities and risks, perhaps what companies need is to tear down the silos between the technology department and accounting. Sean and Dan think we need more business analysts buddying up with security teams. This merge of minds and skills could catalyze better conversations between buyers and vendors.
4. Acquiring cybersecurity solutions starts with educated buyers
Buyers are so confused and inundated with calls from security vendors. They have a hard time understanding what’s “good”, “bad”, or what they even need for their environment. But this is not necessarily about demonizing vendors. They have a product and they need to get the word out about it.
What it boils down to is informed buying. The real way to improve the cybersecurity tech acquisition model is to ensure companies are informed enough to have a conversation with vendors that leads with, “Is this the solution that fulfills the need that we have?”