The cybersecurity industry is growing at a dramatic pace as cyber criminals simultaneously have become more dangerous and powerful. Security leaders are drowning in options — tools, agents, analytics — designed to stay ahead of increasingly adroit cyber criminals.
Global spending on cybersecurity products is predicted to exceed $1 trillion over the next five years. As of January 2018, there are more than 2,500 security technology companies and it is estimated that around 300 cybersecurity startups launch every year. But even as companies spend more on security, losses from cybercrime have nearly doubled in the last five years — having reached $1.4 billion in 2017.
All of this can lead people to believe that there is no end to security innovation and new vendors to supply the latest tools for security teams. But let’s step back from our familiarity with the security market and take note of where investment dollars are flowing.
VC funds are becoming more discriminating as investors wait for wider market adoption. On top of this, the security industry is experiencing rampant consolidation. For instance, this month Cisco announced that it is planning to acquire Duo Security. Last year, CA Technologies bought Veracode for $614 million and Palo Alto Networks paid $105 million in cash for LightCyber — just to name a few.
These shifts have cast doubt on the future existence of many security vendors. As more companies emerge, consolidate and disappear, CISOs are struggling to understand which products are really worth their investment. But the truth is, what's really needed now isn't more security products, but rather smarter and better security.
Quality > Quantity
But this mindset often leaves security leaders stuck in a tricky situation with an overwhelming amount of security products and the difficulty of proving ROI.
These tools often integrate poorly, require specific expertise or generate noisy alerts without enough usable information to improve security and risk posture. Not only has this strategy proven to be ineffective, but it’s also overly complex and expensive, leaving IT security budgets swollen and overrun with tools that were a ‘must have’ merely because they were missing from the company’s product inventory.
Instead, CISOs can improve their purchase decisions by focusing on their own capability deficit. Every IT security team has a set of projects and strategies they are working to pursue. However, when the current stack of people, processes and technology isn’t closing the capability deficit, then it is time to go shopping. With this mindset and pragmatic approach, an investment needs to add value and fill the current capability gap, not just keep up with the latest trends or tools featured in the upper right corner of an analyst quadrant.
5 Questions To Consider When Evaluating Security Solutions
To reduce the security product clutter, here are some key questions I recommend CISOs ask themselves to ensure that they’re getting the products they actually need.
1) What Is the Goal?
This question gives you the opportunity to reflect on the current objectives and strategies you may or may not have in place. If the goal is not yet defined or it’s just in the beginning brainstorm stages, it’s better to stop yourself from pursuing a product or category of products since you’ll undoubtedly just be looking for a temporary solution to the problem.
2) What Are My Current Capabilities?
Conducting an honest appraisal of your current state is imperative because it provides the baseline to then determine the capability deficit and which capabilities are lacking. This applies to much more than just technology.
There are three ‘characters’ in our ‘security epic’ that can provide capabilities to solve problems: people, processes and technology. When scoping your current capabilities, be sure to analyze all three.
3) What Technology Has the Capabilities to Fill this Void?
To avoid this, it’s important to keep a few key things in mind:
Does your team have skills to operate the technology? If not, you could be diminishing the human capabilities with existing people.
Does the technology fit your current workflows and operations? Well, if it doesn’t fit seamlessly into the current process, you’ll need to refine the process or risk inefficiency.
Does the proposed purchase work with existing technologies? This is critical, because security technologies are usually add-ons to existing tools. The security tools are what keep the information technologies safe and protected. If they don’t have good interoperability, you’re only adding to the problem.
4) Does It Have a Proven Track Record?
As I mentioned earlier, buying a product according to bias is a recipe for error. Though I caution security leaders against chasing quadrants and waves, it’s important to note that one of the commonly used metrics tracked by the analyst community is the ability to execute. CISOs could benefit from staging the implementation and assessment to uncover whether or not the technology will be painful to implement.
For example, if a vendor has a cutting-edge technology that resembles science fiction, that’s intriguing. However, if that new gadget is a nuisance to implement and the vendor is unable to execute with some degree of predictability, it’s not worth an investment. This could leave you heading down a path where the technology is incredible and solves the capability deficit, but is a net detractor from your ability to reach your goal.
5) How Will I Measure It?
Finally, this question puts you in the mindset of quantifying the investment to your business. Here, vendors can help by providing references of similar customers and the outcomes they’ve experienced. If the technology does not create a measurable outcome — either positive or negative — then there is no way to determine if the purchase will be worth it. The act of forcing yourself to measure the effectiveness of the technology will break down the habit of purchasing by category or pathological attachment to product.
Building a Lasting Framework
In the end, security vendors must be able to tangibly prove that their technology is aligned with the company’s goals and demonstrate measurable reductions to the capability deficit.
One strategy that CISOs can use to avoid becoming overwhelmed by overlapping tools is implementing a security framework or model that attributes a technology’s impact to a security discipline such as the NIST Cybersecurity Framework, for example.This strategy can help provide a comprehensive view that aligns with a company’s overall security posture and help you avoid investing in products that don’t adequately protect your organization while contributing to the bottom line.
About Josh Mayfield
Josh Mayfield is Absolute’s Director of Security Strategy, and works with Absolute customers to leverage technology for stronger cybersecurity, continuous compliance, and reduced risk on the attack surface. He has spent years in cybersecurity with special focus on network security, threat hunting, identity management, and endpoint security.