Earlier this month Scale Venture Partners released a survey report on The State of Cybersecurity Priorities and Strategies 2017, based on the opinions of 200 security leaders in the United States. As with all industry surveys, this one strove to learn then share what leaders in the field are concerned about, what “keeps them up at night,” budgetary factors, priorities and interests, etc. The problem with this report, as with others that get published then distributed across social media channels, newsletters, through webinars, and during conferences, is that it seems to reflect the desired state and the attractive parts of security rather than what’s necessary to improve security—that is, continuing to focus on basic system administration and fundamentals.
Per the Scale VP report, security “leaders prioritize cloud, data center, and network as top security concerns.” Looking at the data, though, the survey results actually reflect security leaders’ top spend—their 2016 versus 2017 technology investments. This isn’t to say that some correlation between spend and importance doesn’t exist, but it’s not accurate to assert that because someone spent more money on X than Y that X is more important than Y. Y may simply be more expensive than X.
What is more interesting in the report, though, is the comparison between the 2016 and 2017 results. Investments in cloud security dropped 13%; investment in network security dropped 20%; investment in data center/server security dropped 15%. Where is that money going? From this report, it’s hard to tell. The lowest technology investments per the respondents of this survey (as well as 2016) were in the areas of threat intelligence, insider risk analytics, and bug bounties.
Interestingly, despite all of the marketing buzz and security professionals’ stated interest to become more proactive about finding emerging threats and anticipating threat actors’ moves, investment in threat intelligence dropped 5%. Perhaps this is due to market saturation. Perhaps it is due to the fact that security teams realize that security solutions don’t come in a box. While threat intelligence technologies may help with data collection, pattern analysis, and sorting, true threat intelligence cannot be automated or delegated to machine learning. Aided? Yes. Outsourced? No. There is no replacement for skilled and experienced staff who understand the human side of threat actors’ motivations and tactics.
Ninety-two percent of survey respondents agreed that their company security investment strategy is aligned with the top threats. What’s incredibly fascinating about this statistic, however, is that despite high levels of technology spending in the U.S., organizations in the U.S. are significantly more likely to be owned by attackers than companies in other countries, which are not investing as heavily. Looking at the Breach Level Index, a data breach tracker for disclosed incidents, it’s clear to see that greater investment doesn’t equal better security.
“These numbers are not surprising to me,” says Mike Kearn, VP, Business Information Security Officer at US Bank Information Security Services. He continues, “I suspect companies are being more deliberate with their dollars meanwhile assessing what is working in their environments and where gaps still exist. Buying the latest and greatest solution might not deliver the expected ROI for the firm if gaps exist in areas critical to the foundation of their security program. Periodically, security teams need to revisit the basics and ensure they still have a solid base to build upon.”
Once again we have to come back to the fact that “good security” starts with strong controls around the data, people, and people’s access to data. Organizations first need to know what data they have, where the data is, what type of data it is, and who has access, then determine how to protect the data from there—from the ground up. If the Scale VP survey is reflective of the security industry as a whole, and network security is the “top” category for current security investment (despite its 20% drop), that, at least, is encouraging…if organizations are putting resources behind things like firewalls, encryption, monitoring capabilities, and application controls.
Regardless, any one of these technologies as a standalone “solution” is not worth the cost of the paper the P.O. is written on if it’s not properly configured, monitored, and fine-tuned regularly. And if your security staff is ignoring or downgrading alerts, you might as well be using an Etch A Sketch to map out your security strategy.