More than 60 percent of US information technology professionals said their cybersecurity budgets have increased up to 30 percent in the last 12 to 18 months, according to a recent Lockheed Martin survey.
Cybersecurity is being discussed on an unprecedented scale, including in corporate board rooms — thus, the boost in funding.
And while we’re happy to see more resources coming to the problem, the ways in which additional dollars for cyber defense are being spent leave much to be desired. That makes us wonder: Are we being lulled into a false sense of cybersecurity?
Are our misconceptions of three key areas — technology, staffing, and strategy — keeping us from an effective cybersecurity approach?
To ensure you aren’t putting your cyber resources to waste, consider three common pitfalls that hit each of those core cybersecurity competencies and see how your organization stands up.
So many alerts, so little time
Traditionally, organizations have quite literally bought into the idea that, somewhere in the world, there exists a mix of technologies that can be plugged into the network to detect all potential issues and intrusions. Heavily investing in tools that go “bing,” producing an alert for one’s cyber defenders, is what we call a vendor-driven response model.
To avoid this pitfall, it’s critical to understand that there’s no such thing as a silver bullet for cybersecurity. You can’t buy your way into becoming a secure organization, and the traditional set-it-and-forget-it approach doesn’t work.
Consider this: An overwhelming 90 percent of respondents in an April 2015 Ponemon Survey said their organization invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment.
“As cyber threats increase, it is troubling to see so many of the cybersecurity tools purchased by organizations end up as ‘shelfware,’” said Greg Boison, a director of Homeland & Cybersecurity at Lockheed Martin. “When cyber dollars are scarce, organizations should not only evaluate which tools their enterprise needs, but whether they have the internal and external resources to deploy, maintain and leverage them.”
The reality is there’s no one solution or perfect mix of solutions that will serve all your cybersecurity needs. Beware of stocking up on technologies that foster undue confidence resulting in a false sense of cybersecurity. Alerts will always outpace the analyst’s ability to respond, and off-the-shelf technology never satisfies all cyber defense mission needs.
How can you avoid this pitfall?
Waiting to be told there’s a problem can cost you. Even if you survive the cyberattack, you often come away with nothing — no intelligence to help protect from future attacks and no time to truly debrief and grow before another alert is sounded and you’re back in the fight. This perpetual back-and-forth with attackers is simply unsustainable.
Instead, assess the tools you have against the threats that target your most valuable assets. Technology is a necessary part of the equation but you don’t need to accept the status quo — technology should be tuned to work for you. Tailor the settings to fit how your people work. Properly tuned tools collect good data and can shift a team’s day-to- day tasks from merely reacting to alerts to focusing on truly analyzing relevant data to affect thoughtful defense.
More people = more security
Detecting and containing advanced threat actors is extremely difficult without humans in the loop.
Perhaps reasonably, organizations think that by staffing their security nerve centers 24 hours a day, seven days a week equals quality best-in-class cybersecurity.
Unfortunately, this is another way to be lulled into a false sense of safety.
First, consider: Do we have enough skilled cyber analysts to fill a 24x7 staffing plan?
Staffing that emphasizes three shifts a day, with analysts “following the sun” around the world, are difficult to staff and even harder to staff with qualified analysts, typically resulting in an under-utilized, less capable crew on the night shift.
Given the limited cyber resources in the market today, that night shift crew is likely to be tasked with manually alerting first-tier analysts when an incident is detected.
(We should point out that there are times when organizations will need to put eyeballs on screens 24 hours a day, seven days a week for reasons of regulatory compliance, for example.)
How do you avoid this pitfall?
Question the effectiveness of your staffing plan. Evaluate and look for ways to customize and tune your technology to enable quality alerts to your analysts. Then, leverage intelligence to identify trends in the timing and/or cadence of attacks to inform your staffing decisions and your training plans.
Waiting and reacting is no strategy
Good technology and solid staffing aren’t enough, however. Bringing technology and people together most effectively requires a cybersecurity strategy. Unfortunately, many organizations consider “waiting for something to happen and then reacting” their strategic framework. That’s actually no framework at all (and lacking that sense of direction contributes mightily to the pitfalls of technology and staffing, to boot.)
Avoiding this pitfall means eschewing a reactionary posture. If you’re reactionary today, getting better means making an honest assessment of your current processes and procedures. Consider evaluating yourself against a proven framework with demonstrative results by a leading peer in your industry, for example.
Second, rethink network architecture in the context of cybersecurity. Corporate network architecture needs to be designed in a defendable way to promote resiliency through visibility, manageability and survivability.
Finally, adopt a framework that leverages your hard-won intelligence, whether from prior attacks or from the careful work of cyber analysts at your firm and elsewhere. Track, map trends, analyze, and collaborate. Be proactive.
The increase in disclosed breaches has opened up a cybersecurity maturity dialogue across organizations worldwide. Now is the time to question how we’ve done things and how we’re doing things: Is the status quo enough or have we been lulled into a false sense of cybersecurity?
Read the full white paper detailing how to avoid a false sense of security at Lockheed Martin here.