Day after day we are seeing new threats revealed, and those professionals in the Cybersecurity space are getting a little bit jaded.  We know how serious these threats are, we use technology to deal with most of them, and we spend a lot of time guaranteeing our security processes work.

But the problem keeps coming up for demonstrating that importance to Executives and Management who are aware of how important cybersecurity is, but reluctant to focus the time, energy, and money that good security practices require.

And we know that businesses aren't taking it seriously because article after article tell us this.  So what can we do? As a cybersecurity professional who works for a firm that contracts with many businesses, this question comes up a lot in conversation.  Many customers we work with are very aware of the problems that face them, and aware of solutions existing; but also, know their management will not pay the price until they're hit with a major breach.

Why is that?

The issue is not that businesses aren't aware of the problems, is it because the threat from cybercriminals grows, while the people doing the protection have to play keep up - with a general desire to cut IT costs which have been growing year after year for the past decade.  The issue becomes messaging. How do we message that Security can be cost effective, resilient, and a profit generator?

Security is Cost Effective

Because it protects a business from the potential losses a breach or network outage would cause.  But not all solutions are equally cost efficient.  Finding the cheapest product can sometimes lead to failure - the technology was insufficient for the need, or there were reasons or vulnerabilities the software did not adequately protect.  And that isn't even the hardest part of the equation, who manages the technology once it is chosen?

Many businesses go about security from a top down perspective start with a team, have them research options, choose the best option from those offered - and make it fit for the organization.  This is NOT effective.  Not all security teams will remain after an 18 month period the same.  The average deployment can take a 3-6 month period to get fully deployed.  So you will have a team of engineers have about a year of learning the product, then a good 6 months before they are likely on to the next employment opportunity.  Now you need to have new engineers with familiarity of the solution you've agreed to for a 3 year deal.

This can be extremely difficult, or expensive.  Engineering talent is hard to acquire, and harder to keep.  The reason MSPs and outsourced security services flourish is because retaining the same person for years is not common among most businesses.  This is why cost effective security has to meet the following criteria:

• How much does it rely on Automation?  Relying too heavily will mean that issues can occur when normal processes are exploited for security vulnerabilities.  The amount of zero-day threats in the past two years that have lead to effective breaches have significantly increased, over 10x more from 2019. If you don't have 24/7 staff, relying on humans to answer problems in the middle of the night will fail. Setting up automation that leads to  human intervention is key.
• How much does the technology require training?  Solutions that will require specific employees will fail simply when you have normal turnover.  An entire business cannot be on the shoulders of a single person - what happens when they're sick, when they take a day off, or if they get hit by a bus?  Having business continuity requires solutions not heavily reliant on a single point of failure.
• What secondary layer do you have in case the technology fails?  Nothing is perfect.  How are you training your staff to handle an initial failure, and what kind of safety net do you have in case everything goes wrong.  Having a plan with a key understanding that it may happen when you're missing employees or in the middle of the night is key to success.
  • This is what has lead to the increase of MDR/XDR/EDR (choose your abbreviation) solutions that look for gaps and help catch problems as they occur.  Make sure whatever solution you're using has capabilities (and the SOW will allow) intervention in case of failure.

Security is Resilient

Having an architecture that lacks a single point of failure is key to any successful security model.  Relying heavily on the current security team inevitably leads to failure.  No one wants to tell their boss they are replaceable, and many security professionals aren't, but having the ability or process be covered when you are sick or when someone is out of town is the only way your security will survive over time.

Building out processes, utilizing multiple technologies, these are some of the possibilities that exist for making a comprehensive strategy for resilience.  But if the security architecture is not resilient, if it does have single points of failure... inevitably the dice will roll onto the circumstance where everything that can go wrong will go wrong.

Security as a profit generator

Security is a process, not a product.  You train your team and work to create processes that interact with the staff and your customers effectively and efficiently - which is a key differentiator from most organizations out there.  Most IT organizations or security organizations have problems.  By setting your IT Organization up for success you have already differentiated your business from a majority of your competitors - and that is a competitive advantage you can then exercise to gain larger market share.

Management understands cost to value rations - but if you're expected to dig a ditch you want a shovel not a toothpick, or even a toothbrush.  The right tools for the right job is an idea that can be easily explained to people, regardless of technical expertise.

The reality of Cybersecurity is the best technology in the world isn't effective if no one is using it.  Messaging that technology is important to successfully navigating the security space.