Investing Wisely

Where to focus spend during the economic downturn

By Tim Wallen, Regional Director, UK, US & Emerging Markets, Logpoint

There remains a great deal of uncertainty when it comes to how IT budgets will play out this year. According to the ESG 2023 Spending Intentions Survey, 53 percent expect it to increase, but 30 percent say it will stay the same and 18 percent think it will go down. Yet regardless of how things play out, cybersecurity is liable to get a bigger piece of the pie, with 65 percent expecting spend in this area of the IT budget to increase.

Although cybersecurity is widely regarded as a business priority warranting higher spend, it’s proving much harder to ensure there’s enough to go around. Inflation is seeing costs such as software licensing rise, plus the sector is experiencing a significant skills shortage, and coupled with the cost of living crisis, this is seeing wages increase. The ISC(2) Workforce Study 2022 found that the workforce gap has increased by 73.4 percent year-on-year in the UK, with The Department for Digital, Culture and Sport (DCMS) projecting an annual shortfall of 14,100 per year, it’s a problem set to get worse before it gets better.

Compounding these challenges is a highly competitive market. According to the 2023 Gartner Board of Directors Survey, 64 percent of board directors intend to increase the risk appetite of the business in order to compete more aggressively, with 46 percent willing to accept greater risk to achieve growth. CISOs will therefore need to adjust their risk management strategies to capitalise on opportunities, but as a result, can expect to see the risk exposure of the business increase, putting yet more pressure on cybersecurity resource.

All of these factors mean the CISO will need to utilise the data at their disposal more effectively to justify their decisions and guide investment. They’ll need to look at how they can measure the effectiveness of security controls against those of other organisations and evaluate the maturity of the business’ capabilities, for instance.

Using meta-analysis to drive decision making

Such meta-analysis will help CISOs report to the C-suite about general cybersecurity performance and justify their decisions to the board whether that be to invest, consolidate or outsource. In addition, meta-analysis will allow the CISO to evaluate technology and determine opportunities to reduce costs by using it as a benchmarking function. Using a data-driven approach will in turn, prove the business case for investment in automation, which will be essential in helping to ease staff shortages.

Automation can unlock real gains, particularly in the mid-market which struggles with alert overload/fatigue. Advances in AI and machine learning are seeing these alerts treated not as standalone occurrences but as part of a bigger picture. They are regarded as indicators of a possible compromise that is then qualified using contextual information to determine the level of response needed, helping to reduce the problem of false positives and to prioritise investigations.

Crucially, organisations with fully deployed security AI and automation save $3.05 million per data breach compared to those without (a 65.2% difference in average breach cost, states the 2022 IBM Cost of a Data Breach Report), so it can certainly deliver ROI and should be prioritised. But where else should CISOs focus spend?

Where to allocate spend

According to Forrester, top priorities for cybersecurity in 2023 include the replacement of legacy Security and Incident Event Management (SIEM) with systems that can analyse security behaviour. Using a converged SIEM, for instance, provides the business with additional capabilties as it comes with Security Orchestration And Response (SOAR) fully integrated to provide automated detection and response, User Entity Behaviour Analytics (UEBA) for threat modelling, and with additional modules such as Business Critical Security (BCS) allowing previously siloed applications, such as SAP, to be brought into the SIEM security fold. So how does each of these help ease the pressure on cyber security resources?

The automation conferred by SOAR sees security data and alerts gathered and prioritised to help identify and resolve incidents fast. Workflows and playbooks automate repetitive tasks, such as dealing with false positives, and guides security analysts to the right response. All the analyst has to do is approve or execute a decision while security teams are presented with data that has been automatically correlated and analysed together with contextual information and intelligence. This action speeds up the triage process so security teams can respond quickly ensuring Mean Time To Detect/Respond (MTTD/MTTR) is reduced. Plus, it also mitigates data breach impact because built-in response capabilities on the endpoints can be used to isolate hosts, block incoming connections from malicious sources, and disable users.

UEBA is invaluable in enabling the business to identify activity that deviates from the norm and to apply context to indicators of compromise (IoCs). It can detect security incidents that would be impossible to detect under other circumstances because it applies machine learning to peer grouping and baselines to identify normal/abnormal behaviour. And because it looks at data from across the organisation and its security infrastructure, it can apply that behavioural analysis to eliminate false positives.

UEBA also helps teams make sense of alerts by supplementing them with environmental and situational information. Environmental context can include details such as, whether a user was an IT admin or highly privileged user, or if they own the asset in question, while situational context may seek to establish if the incident has happened before and whether it falls within normal parameters. Moreover, high-fidelity risk scoring makes it easy for analysts to know which alerts to investigate first, helping to reduce the time it takes to resolve incidents.

A converged solution can also help the business extend its security management across previously siloed applications. SAP, for instance, is used to carry business critical data to systems responsible for everything from digital enterprise resource planning (ERP) and human capital management operations to sales, stakeholder relationship management (SRM) and customer relationship management (CRM) processes. However, these are usually protected using SAP security which then prevents the correlation of information and achieving enterprise-wide oversight.

Bringing such applications onto the SIEM using BCS enables SAP systems to be continuously monitored for IP theft, fraud, access violations, and compliance to enable threat detection and response. Suspicious transactions and SAP user behaviour can then be captured in near real-time and activity tracked with UEBA, while integration with the SIEM and SOAR automates checks, dramatically reducing time to compliance. Monitoring SAP in this way can also prevent costly downtime by acting as an early warning system.

Creating a single pane of glass

Automating SIEM, SOAR, UEBA and BCS over one platform not only eliminates the complexity associated with integration and management but also enables these data feeds to be combined to provide qualified insights. The severity of an incident can be validated and the response automated, freeing up precious human resource. Moreover, the dashboard provides the CISO with a single pane of glass through which to view the security posture of the business, keep track of compliance obligations and to carry out reporting.

Converged solutions will be a primary focus for investment going forward because CISOs can conserve signficant spend by consolidating the cybersecurity stack. An ESG report found 70 percent of businesses run more than ten tools, with some managing up to 50 point solutions, often with overlapping functions in a bid to close security gaps.

This can result in high operational overheads as these solutons come from a myriad of suppliers with their own proprietary technologies that the security team needs to master in order to use them and keep them up to date. Reducing the number of solutions and the number of vendors can therefore cut management costs because there’s no longer the need to spend out on training or to hire those with specialist skillsets.

For this reason, a staggering 75 percent of CISOs are pursuing a vendor consolidation strategy, according to Gartner’s Top Trends in Cybersecurity 2022 report. These CISOs said motivation included the need to improve overall risk posture, derive efficiencies from economies of scale and eliminate the time and expense required to integrate separate tools. But what’s notable is that almost a third (29 percent) said they were actively pursuing a consolidation strategy now compared to back in 2020.

However, while consolidation may seem a no-brainer it can become difficult to execute and extract savings from due to software licensing models. These are typically based on data volume, which does of course increase exponentially overtime, leading to runaway costs. Tied in to specific providers, CISOs face something of a Hobson’s Choice: pay these rising costs or cut back on their security monitoring.

Limiting the amount of data coming into the system simply doesn’t make sense in a security context, because it means curtailing visibility, but it can also directly impact business growth. Unable to reach their security objectives without worrying about restricting what they ingest and from where, the CISO may choose instead to delay security projects. For this reason, it’s vital that CIO/CISOs look not just at the functionality but the scalability of the solutions available to them.

Scalability is also key for another reason. The current economic climate is likely to see threat actors intensify their efforts because they are equally feeling the effects of the downturn. Those attackers will also be looking to leverage automation to create maximum return for minimum effort, which will equate to an increase in the volume and veracity of attacks. So CISOs cannot afford to cut back; they must invest to curb the threat and protect the company’s assets. The trick is to do so wisely and in such a way that costs become contained, human resource conserved and automation used to confer accuracy and reduce workloads. Consolidation can deliver on all three fronts.

About the Author

Tim Wallen is Regional Director for the UK, US and Emerging Markets at Logpoint. With almost 20 years of cybersecurity experience, he has held senior sales and management positions within both high-growth and established vendors, including FireMon, ForeScout, Check Point, McAfee, and IBM. He is responsible for driving strategic growth in the regions and for leading the growing team of Logpoint sales, marketing, and technical professionals. Tim can be reached online at https://www.linkedin.com/in/timwallen/?originalSubdomain=uk and at our company website https://www.logpoint.com/en/