Eliminating wastage

A thorough risk assessment is essential when deciding where security efforts need to be concentrated - and in defining the budget needed to make this happen, says Eoin Keary, CEO and founder of edgescan

Managing the security budget within any organisation can be one of the toughest jobs in the world. According to Cybersecurity Ventures, global spending on cybersecurity is predicted to exceed $1 trillion over the five-year period from 2017 to 2021. This figure is huge, but how much of it is being spent unnecessarily?

In a recent survey conducted by edgescan, 39% of respondents admitted their organisations purchased a security solution that ended up in a cupboard, never used, while 18% of those said unused solutions cost their organisations over £20,000. These numbers are shocking, but there is a checklist an organisation can go through to ensure they're making a wise decision.

Know your business - a thorough risk assessment is a good starting point to decide on the right cybersecurity tools and way to gain perspective over potential threats to business, what it needs to prepare for, which attack vectors are most vulnerable and where to concentrate security efforts. This phase should include asset profiling, as it is impossible to protect what you don't know is there. Every single component connected to the network - or that has the capability to do so - needs to be accounted for. Also, take a look at security solutions already in place. These solutions may need maintaining or updating, but they also may need decommissioning, if under the radar and not being used.

Know your people - it's no secret the skills gap in cybersecurity makes it hard for organisations to find and retain talent. This task is harder for smaller businesses, as larger organisations promise security professional more benefits, career prospects and perks. Effective security solutions need to be chosen on the basis of available skilled manpower and time to operate them. Purchasing an expensive automation tool may seem like an effective way to reduce workload of security professionals, but, if it generates a huge volume of false positives, it will become counterproductive.

Know your workflow - security should be designed into workflow operations, as much as it should be designed into technological products from the beginning. When bolted on at a later stage, it inevitably works less smoothly and creates vulnerabilities. There are many variations of security solutions available, from which organisations can look to find one that best fits processes and procedures, creating minimal disruption to employees. This is particularly important when choosing an Identity Access Management (IAM) solution, which requires involvement of all employees. If the authentication process is too lengthy, users will find ways around it, thus creating a security compromise.

Measure your success - security needs to be continuously measured and assessed. Previously, a one-off penetration test was enough to provide information on the strength of security in place, but the current threat landscape is too dynamic for that to be sufficient. Organisations should aim to adopt tools that allow them not only to measure response times, but also continuously monitor digital assets for vulnerabilities and potential exploits.

To avoid security budget being wasted, the most important thing IT teams can do is know the business thoroughly and choose solutions that work, not hinder. Create a plan of action for these tools and solutions to be integrated without disruption, but also be open about the practices in place and understand if they're truly working.