Businesses – especially enterprises – are continuing to deploy more resources towards cybersecurity, and that includes more advanced tools to stop hackers. However, a new IBM global survey, which was conducted by the Ponemon Institute, featuring responses from more than 3,400 security and IT staff, found that even as investment and planning are increasing, the same can’t be said for the effectiveness. Moreover, the study found that more security didn’t guarantee results.
The research, which was part of IBM’s fifth annual Cyber Resilient Organization Report also warned that complexity of cybersecurity is actually negatively impacting incident response capabilities. The findings also suggested that simply adopting more tools often didn’t increase response efforts but rather does the opposite.
Wasted Cyber Resources
Throwing money at a problem didn’t show positive results, and instead, it was largely seen as throwing money away.
“Building castle walls out of gold won’t make a site secure, just expensive,” warned Jim Purtilo, associate professor of computer science at the University of Maryland.
“Security doesn’t strongly correlate with how much an organization spends on tools or practices,” Purtilo told ClearanceJobs. “It’s reasonable to think any group willing to spend lavishly on cyber infrastructure would also spend the time to manage it well, but it often doesn’t work out that way. After all, the CIA is heavily-invested in cyber technology, yet in the last two weeks, we learned that the elite group in charge of developing their hacking tools was itself penetrated back in 2016. That’s a big oops.”
centralized risk-based intelligence for Multiple Threat Vectors
The other problem is that efforts to prevent all forms of attacks with multiple layers can also create interoperability issues and that can lead to exploits due to a lack of standardization.
“Here’s the issue with cybersecurity tools; organizations use a lot of security tools to manage various threats – the larger the company, the more tools deployed,” explained Nilesh Dherange, CTO at security and risk analytics firm Gurucul.
“These tools are operating in silos and generating large volumes of data,” Dherange told ClearanceJobs. “All this data has to be looked at centrally so you can make decisions on your risks very quickly. The problem is none of these tools are talking to each other. So you have siloed data, noise from cybersecurity tools firing off non-standard alerts, and no unified intelligence.”
In many cases raw data is useful in detecting threats from bad actors.
“In order to understand the cyber threat landscape in real-time, you need to be able to take a vast quantity of data and turn it into information,” added Dherange. “You need to unify all that siloed data into a single unified representation of risk which you can then act upon. Having the ability to aggregate, correlate, and analyze your data as a whole makes every single tool more effective. Putting all your data into one unified risk score facilitates centralized risk-based intelligence. It’s possible. You just need the right risk scoring engine.”
More information Doesn’t Equal Better cyberSecurity
When we think of the term “too much information” in this context, often what comes to mind are the outside analytics that need to be monitored. However, it also becomes an issue if the IT department needs to monitor all the layers of security. More information doesn’t lead to better results.
To put it one way, it would be like having more walls around a fortress – but without the troops to man the walls, does it matter if the bad guys have good climbing ropes? But in many instances, we’re even seeing cases where the walls aren’t even technically built anyway.
In that case, the comparison would be little more than a pile of bricks, which won’t stop anyone!
“We see it time and again: companies are throwing money at tools to check off boxes on their compliance checklists, and sometimes their frontline security teams don’t even know what a tool does or why they need it,” said Chloé Messdaghi, vice president of strategy at Point3 Security.
“In fact, sometimes the licenses purchased end up never even being used,” she told ClearanceJobs. “Throwing money at compliance list requirements just isn’t enough to fix problems.”
The IBM study also suggested that organizations that invested in formal planning were more successful in responding to incidents. This is true no matter how many layers of security may be in place.
“Organizations need to understand whether their people know what particular tools are supposed to accomplish, why those objectives are important, and what each of their various tools cannot do,” Messdaghi added.
The Human Elements in the Cyber Battle
Another consideration is that more layers of security increase the workload on employees, and that in itself can cause problems. Companies need to consider the risks, but they also need to consider if there is anything worth really stealing.
This is true even of companies in the defense sector because sensitive information may be sensitive but that doesn’t automatically mean it is especially valuable. If hackers can’t profit from it – either through sales or gaining knowledge to American secrets – the data probably isn’t worth the time to steal it.
“The threats and exposures are not uniform across all organizations,” suggested Purtilo. “Some sites are simply bigger targets than others, so while they may spend more on tools, they have a broader attack surface from the complexity of their infrastructure, and indeed, complexity is where vulnerabilities hide. More moving parts and interfaces mean more can go wrong.
Tool Value Needs to be Based on Team Feedback
“Cost alone is no indicator of quality,” he added. “This is an evidence-based discipline, so insist on measuring the value of tools and practices, and then you can make rational decisions about which juice is worth the squeeze.”
Then there is the factor of whether the tools are so complex that human error could be an issue.
“At the end of the day, the human element will determine just how useful the tools are or aren’t,” said Messdaghi. “Organizations invest in cybersecurity training for their end user population, and it works to help reduce susceptibility to threats such as phishing, bad clicks and over-sharing on social. More organizations need to apply this same security-centric mindset to tools acquisitions and up-skilling their security teams.”