Don’t overspend on products, invest in people who know how to use them

A Naval cryptologic technician works with a high school student at a Cyberthon in Pensacola, Fla. Today’s columnist, David “Moose” Wolpoff of Randori, says companies spend too much money on tools they don’t use. Better to invest in people and train them so they really know how to use the tools. (Official U.S. Navy Imagery CC BY 2.0)

It’s an age old question for any company: How much should it spend on security? The answer: less than it spends today. The more companies spend on security, the more they shift revenue from other resources. And if the business isn’t more secure, it’s hurting another part of the business.

Security teams really need to ask: “If I invest in this product, will I reduce risk by so much that it positively impacts the company’s bottom line?” In the vast majority of real-world cases, massively inflated security budgets represent a huge waste of resources, and also contribute to an overarching artificial hubris that has led the security community to misconceive the very meaning of the word secure.  Said another way: companies that increase security spend by checking boxes are creating purely cosmetic change, and it’s only increasing the company’s attack surface.  

At the end of the day, security teams should shift the security spend to experienced people. Hire a few top-flight security pros with the skills to run the security organization, and scrap the security tooling the company overpurchased. Too many companies purchase dozens of products looking for the solution and they often don’t even know that they have in their environment after a while.

Companies need to make informed decisions about what to do based on what’s really going on in their company, and not let fear of the hypothetical and unknown drive real-world decision-making.

Typically, a defender starts by trying to design a secure system. They do an audit of potential weaknesses, and then go from where they are to being secure. In contrast, a hacker knows there’s no such thing as true security. They will always start from the assumption that there’s a way in. It’s a question of how, not if.

The defender tries to make the environment secure, but if the hacker plays by a different set of rules -- that security doesn’t exist --  how can the defender beat them? In this scenario, the blue-teamer and hacker aren't even speaking the same language.

Enter the top-flight hires. If the company can build a team that puts the fundamentals in place, uses the right security tools – and uses them regularly – the company will make it more expensive for an attacker to get in. This will dissuade the vast majority of the hacker pool. Make it hard for them to get in, and the hackers will move on to the next potential victim.

Don’t get the wrong idea -- security software, appliances, tooling -- are all very important.  But too many companies don’t know how to use the tools, don’t use them regularly and don’t use them in the right way.

The best security teams I’ve gone up against are not those with the fewest flaws, or use the most buzzed-about security products, but the teams that anticipate my next move and do the following:

  • Protect what matters. They know what’s most important to protect, and no, everything isn’t the right answer. They know what their crown jewels are.
  • Prioritize the way attackers do.  They anticipate the part of the network and data I’m going to go after and have moves prepared to thwart my attempts.
  • Master the fundamentals. Their networks are segmented. They have lots of visibility and monitoring in place and implement the CIS Top 20 critical security controls. They know what pieces to have in what places and where.
  • Put failsafes in place. Attackers will attack, it’s not about stopping them from attacking, but thinking 10 moves ahead – and have the right defense-in- depth setup.

Companies don’t need a secure system. There’s no such thing. Companies need a well-designed system overseen by a couple of extremely talented security pros who know how to use the tools they implement, and can run the cost-benefit analyses of security response decisions. These days it’s hard to hire truly bad-ass security people, so companies need to allocate funds toward training or buying services that enhance the staff’s knowledge and productivity. But don’t think buying a tool replaces human talent. Better to take a bright person and pay for them to earn a CISSP because security software can’t be trained to think critically about the company’s business needs. A small team of motivated and empowered junior staff can certainly make my life harder as a hacker.

Most people find it pretty difficult to believe, but if all companies simply followed the best practices laid out for CISOs in the year 2000 (least privilege, default deny, segmentation and monitoring, we wouldn’t need a fancy multi-solution appliance in the first place.

Approach security as a risk calculation. Companies should spend as little as possible for the best results possible. Banks know they know they will never stop all fraud. So rather than trying to prevent it, they put mechanisms in place to minimize the damage. Security teams must make the same calculation: What will it cost if the company gets hacked? What’s the cost of downtime? And above all, will the changes the company implements make it quantifiably more difficult to hack?

David “Moose” Wolpoff, co-founder and CTO, Randori

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.