By: Kirsten Bay, Corey White
Put simply, the security industry has failed to keep pace with the adaptability of today’s cyber criminals, leaving buyers in the unenviable position of continually scrambling for the latest security tools in an attempt to keep confidential information safe. They spend more money and they buy more security tools without knowing if they’re spending in the right places or on the right things. It’s the foundation of a vicious cycle resulting from the failure to prevent attacks in the first place, which is the primary job of cybersecurity.
Consider the Equifax breach, where more than 148 million consumer records were exposed. Human error and a reckless approach to security were at the root of this notorious hack, according to former CEO Richard Smith. Poor data hygiene, permissive access controls, and an open network architecture gave hackers all the help they needed to pilfer the crown jewels of U.S. consumer data. This entirely preventable breach was caused by the failure of Equifax’s IT team to implement a critical patch and exacerbated by internal security systems that failed to flag the suspicious traffic that followed. Worse, six of the 11 remedial recommendations given to Equifax by a top consulting firm included increased security and technology investments, despite the failure of many similar tools to prevent, detect, or contain the original breach.
As long as security providers continue to make money off their own failures, it will always be in the industry’s best interest to sell using fear tactics. But this doesn’t mean buyers have to play along. Organizations can evolve from approaches favored by the industry to new methods that serve buyer needs first. To succeed, organizations must know what to protect, how best to protect it, and how to keep it protected over time.
Whatever the industry’s shortcomings, we all have a hand in why security solutions fail. Whether our focus is on decreasing overall risk, reducing technology complexity, supporting faster sales cycles, speeding time to market, achieving better compliance, improving customer retention, or just doing a better job preventing data breaches, we must understand our own environments. There are three basic steps that form the foundation of a winning strategy.
What assets do you have? Servers? Cloud infrastructure? Laptops? BYODs? If you're not sure, make a list. Seventy-nine percent of organizations surveyed by Enterprise Strategy Group (ESG) report widening visibility gaps in their cloud infrastructure, while 75 percent found the same problem across end-user and IoT devices. Do you know what software is running on all those assets? You can’t really proceed to the next two steps until you have this one covered.
Is your endpoint security focused on preventing attacks or detecting and responding to them? Most endpoint security providers will tell you they do both, so dig into your solutions to determine if they’re better at one or the other. And remember: MDR and XDR might sound good—they certainly enjoy a lot of hype—but they won’t prevent an attack. The more you spend on prevention, the lower your total costs will be.
What’s your current process for keeping software up to date? Who’s responsible for installing updates? For vulnerability scans? For remediating problems once discovered? With an average of 50 common vulnerabilities and exposures (CVEs) discovered every day and software updates and releases happening regularly, it’s impossible for once-a-quarter (or once-a-year) scans to reflect accurately the threats and vulnerabilities in each environment. Even once a day won’t get it done, because you’ll miss an average of 49 others every 24 hours.
Mastering the basics boosts resilience across the board, so any organization that thinks meeting compliance standards gets them off the hook for embracing security basics should think again.
Security often gets bumped in favor of the capabilities customers want, particularly in high-growth sectors like technology and in compliance-driven industries like financial services and healthcare. But when companies get into the habit of thinking compliance provides security, they lose their cyber resilience. From basic IT hygiene (such as patching vulnerabilities or comprehensive asset management) to user education