The Three Critical Misses of a Tool-focused Cybersecurity Investment Strategyrevsec
As cybersecurity consultants, we see this scenario way too often:
Company X has a wakeup call regarding cybersecurity. This often comes in the form of a compromise or breach but sometimes can be more subtle such as discovery of malware in a sensitive environment or a board-level mandate. Immediate action calls are made for 30, 60, or 90 day action plans. Budgets are made available and those in charge go shopping for tools and technology to help solve the problem.
Fast forward one or two years. Company X has spent money on cybersecurity tools but have they really made sound investments to “buy down” their risk? Are they really more secure? Too often the answer is “no.”
In the haste to take action, three key things are often missed:
1.) Tools and technology are only part of the equation. Without the right investments in people and business process, tools are ineffective at best and, in the worst case, may lead to a false sense of security.
2.) Priority and requirements are not identified. There are thousands of cybersecurity tools on the market. How do you know which ones are a fit for you? There is rarely just one tool or technology needed to address the threat landscape. Without clear understanding of the current posture combined with definitive objectives and requirements, it is impossible to make good business decisions for prioritizing cybersecurity investments.
3.) Existing architecture and process are not addressed. There are almost always minor adjustments to existing architecture or processes that can pay significant dividends when it comes to managing risk, very often with minimal investment.
We recommend starting with a 3rd party assessment to ensure that the people and process challenges are identified, the priority and requirements are clearly identified, and that the “quick wins” for existing architecture and process are addressed. The recommendations resulting from the assessments that Revolutionary Security performs address all of these key items and are arranged in a way that makes it clear where short-term, tactical adjustments can be made and where longer-term people, process, and technology solutions are required.
About the Author
Director, Industrial Control Systems Security
Jason leads Revolutionary Security’s Industrial Control Systems (ICS) practice. He has been actively involved in helping secure SCADA, DCS, and other Operations Technology (OT) for over 15 years with experience spanning the utility, oil and gas, chemical, and manufacturing industries.