If a hacker got into one of your endpoint devices or servers, how many records would you lose? No doubt you have seen your share of frightening headlines about security breaches—and you probably have an idea of the equally scary financial risks. The latest research shows the average cost to companies rose last year from $154 to $158 for each lost or stolen record containing sensitive and confidential information. In most cases, the costs of legal fees and mitigation rises into the millions. And that doesn’t include the price tag for losing competitive data or damage to the brand from mandatory disclosures.
But do you know how much your defenses against cyberattacks are costing your organization in terms of lost business innovation? In a recent Economist Intelligence Unit (EIU) survey sponsored by VMWare, almost half of C-suite respondents believes that cyber-security measures are hindering critical functions. About the same percentage said these defenses were delaying efforts to bring new products to market and putting the brakes on innovation.
Notably, the majority of executives polled in the same survey also viewed cybersecurity as a huge drain on their management time and attention—not to mention a drain on scarce corporate budgets. On the other hand, less than half of the securities executives expressed the same view.
It’s no wonder management perceives managing cybersecurity as expensive and complicated: because it is. Hackers are constantly innovating and filling their bags with new tricks. IT security leaders have responded to each new threat by bolting on the latest innovations from countless security vendors. The list is endless: web application firewalls, end-point protection, penetration testing, data-loss protection, anomaly detection, and so on. In many organizations, the result is a patchwork of point solutions that don’t work well together.
As IT battles for budget to fight each new threat, and this patchwork of point solutions becomes more and more ungainly, it is no surprise that management sees cybersecurity as stifling innovation. Employees have to deal with sometimes draconian security policies, and IT spends valuable time managing security rather than supporting business innovation.
But IT must also battle management’s underestimation of the threat. For example, in the EIU study, only 12% of respondents felt it was likely that the company would experience a serious cyberattack within the next 90 days, while more than 30% of security professionals expected a major and successful attack on the firm in the same period. This major disconnect is somewhat analogous to motorcyclists who are annoyed by laws that mandate their wearing helmets vs. the perspective of ER room staff who see the real consequences of failing to protect against a mishap.
Cybersecurity today—like an Atari game in an Xbox world
Former president Obama made news in a 2016 article in The Wall Street Journal when he acknowledged the problem of a reactive cyber defense: “Government IT is like an Atari game in an Xbox world.” The same applies to enterprise IT and the problem of playing catch-up by bolting on reactive point solutions to counter each new threat. It is simply not an effective solution because the hackers never slow down.
According to the most recent Verizon Data Breach Report, in “the majority of confirmed data breaches, the modus operandi of nation-states as well as financially motivated attackers is to establish control via malware and, when successful, it is lightning fast. As this figure is for confirmed breaches only, it makes sense that the time to compromise is almost always days or less (if not minutes or less).” So in essence, a patch or newly deployed point solution may be obsolete by the time it is implemented.
Plus, with workers carrying multiple devices and increasingly connecting to the cloud, the task of risk mitigation continues to grow. Enterprise security professionals must protect a huge attack surface with thousands of potential entry points, which now includes smart phones, internet of things (IoT) devices, and other nontraditional endpoints. Hackers probing for vulnerabilities in this attack surface only have to be right once—and they can succeed in milliseconds. Thus, it becomes almost impossible to protect against things like zero-days and other newly engineered attacks.
Plan and prioritize vs. patch and pray
The solution lies in IT professionals educating the C-Suite on the costs—both in terms of stifling innovation and adding management overhead—of a reactive approach to security. Only by executives gaining a more realistic understanding of the risks will they be willing to allocate budget to plan ahead. This will give IT the freedom to prioritize the greatest threats and plan for the purchase and deployment of next-generation platforms with capabilities such as protecting against the hackers’ next big things.
Compared with old-school approaches—which were built on the assumption that the firewall would comprise the last line of defense—next-generation approaches can offer capabilities to protect against the new risks associated with data moving beyond the network perimeter. Effective planning and prioritization also gives IT a fighting chance of deploying flexible, adaptive solutions vs. asking management to allocate budget for cybersecurity that will be outmoded by the time it is deployed. This will also help to eliminate the significant operational overhead required to manage today’s Rube Goldberg cybersecurity monsters of bolt-on point solutions. Management and IT can, instead, focus precious time and resources on innovation that helps the business achieve a competitive advantage.
Originally published May 16, 2017, updated Oct 19, 2020