Every week, new reports come out about ballooning cybersecurity budgets. Even during the economic downturn associated with the COVID-19 pandemic, cybersecurity spending was projected to grow by 2.4% compared to 2019 spending, according to Gartner. Six months earlier, in December 2019, Gartner had projected that cybersecurity spending would rise by 8.7%, an astonishing figure. Organizations have fallen into the trap of benchmarking their cybersecurity performance by the number of tools they have deployed, the size of their budget, or even against their industry peers, disregarding analysis of how these budgets are actually impacting their baseline cybersecurity performance.
With every cybersecurity company out there marketing the latest and greatest in AI and ML, these cybersecurity tools promise to solve all your cybersecurity challenges, they have created a public perception that more tech results in better security. This frequently misunderstood concept results in a false sense of hope and security; leaving you to believe that that each additional tool makes you more secure. The problem is that each additional tool has a reduced marginal benefit over the previous one, in addition to increasing the complexity of implementation and maintenance of their cybersecurity program. Maintaining a simple but effective tool stack is the name of the game, because increasing complexity often results in inconsistent implementation and a loss of insight into the performance of basic cybersecurity standards.
As a prime example of this phenomenon, look no farther than the infamous 2017 Equifax breach. Even though Equifax touted an $85M security budget, a large security team, and a significant vulnerability management operation; it took 76 days to identify the breach, 145 days to patch, and over two weeks to notify their CEO of the breach. Equifax was hitting all the right traditional benchmarks of excessive cybersecurity spending, tool stack, and team size; but without a way of measuring their cybersecurity performance effectiveness, they allowed their basic cybersecurity standards to slip. Security is never a finished game, as it requires constant improvement and adaptation as available resources allow. Understanding where your security performance stands in the moment and where it needs to be in the future is critical for promoting organizational success by empowering decision-making individuals to ensure smart resource allocation for maximum benefit.
At the end of the day, the most important thing you can do is ensure a strong base level of cybersecurity performance. All the tools and teams at Equifax didn’t save them when they failed to apply an Apache Struts framework update that fixed a serious security vulnerability in early March. The patch had been available for over 2 months before the attack took place and was never implemented despite boasting of a rigorous vulnerability management program. Simplifying your tool stack, establishing continuous monitoring programs, and investing in solidifying baseline cybersecurity processes is the best way to ensure cybersecurity resilience.