Adarma, an independent leader in detection and response services, published a report titled, A False Sense of Cybersecurity: How Feeling Safe Can Sabotage Your Business. The report examines critical aspects of security operations like confidence levels, ‘tool sprawl’, the use of AI and the productivity and well-being of security teams.
Based on a survey of 500 cybersecurity professionals from UK organisations with over 2,000 employees, Adarma found that 95% of UK enterprises are ‘very confident’ (53%) or ‘somewhat confident’ (42%) that they do not have gaps in their security controls coverage. Yet, two-thirds (68%) have fallen victim to a cyberattack in the last two years.
One possible reason for this disconnect could be the belief that having more security tools leads to better protection for the organisation. The research indicated that confidence levels tended to rise alongside the number of security tools used, as did the chances of experiencing a security breach.
Commenting on the report, Scott McElney, CISO of the Weir Group, cautioned against the assumption that more tooling leads to enhanced security, noting that “adding more tools may increase risk due to the complexities involved in managing them and the requisite skills needed to configure and optimise them.”
The UK Government’s 2023 cybersecurity sectoral analysis reveals that there are currently 1,979 firms offering cybersecurity products and services in the country. However, 61% of respondents find this fragmented technology landscape hinders their ability to improve their security capabilities and performance. As a result, 80% are currently consolidating their security technology or plan to do so and an additional 18% acknowledge the need to reduce their tooling.
“Unfortunately, the proliferation of cybersecurity products and services has misled many into believing that they are the cure-all to our cybersecurity woes; in fact, it has introduced more complexity and confusion. More tools do not guarantee protection if they are not properly configured and talking to each other or, for example, if organisations don’t have the expertise to manage incoming alerts appropriately. Ultimately, technology is only as good as the people who are deploying, integrating and optimising it,” said John Maynard, Adarma’s CEO.
“By consolidating the tech stack, organisations stand to gain greater visibility over their application estate, allowing for more effective resourcing, more centralised competencies and reduced digital fragmentation. But again, successfully making that transition without compromising the organisation’s cyber-resilience comes down to having the right people with the know-how,” Maynard concluded.
Organisations encounter various difficulties when attempting to consolidate their technology stack. According to the survey, 45% struggle with implementation due to its complexity and the need for expertise. Another 43% mention the difficulty in optimising and utilising technology to its fullest potential. Additionally, 40% express concern about becoming dependent on a single vendor.
Adarma recommends that organisations adopt a comprehensive approach to security by considering the complete security technology life cycle, as well as the required individuals and procedures for integration, configuration and optimisation.
Mortada Ayad, Director – Sales Engineering, Delinea
Just like companies put a lot of effort into devising sound plans and a detailed roadmap to achieve success, they should also spend time conducting a detailed assessment to understand their specific cyber-risks, pinpointing vulnerabilities and deciding the level of investments, based on their risk tolerance. Most importantly, they should consider their cybersecurity efforts as building blocks of their business roadmap, instead of something separate.
While cybersecurity teams have a primary role in protecting the company, minimising risks and thwarting increasingly sophisticated cyberattack techniques, most companies in the region do not recognise the value they can provide at a more strategic level as business enablers.
This misalignment has several consequences. On one side, it perpetrates the misconception that cybersecurity is nice to have, but fundings can be moved to other areas of the business if needed. From research we conducted earlier this year, we know that in the UAE and KSA region the disconnect contributed to 42% of delayed investments and 41% of late strategic decisions and a 33% of unnecessary increase in spending. But, most importantly it caused a 28% spike in the number of successful cyberattacks.
On the other hand, it prevents the company from leveraging the entire potential of its personnel and having a complete vision of what is possible and feasible when it comes to delivering on the roadmap. For example, thanks to their technical knowledge and expertise, the cybersecurity teams could provide valuable support in increasing internal efficiency, ensuring critical systems are always available and continuously aligned and compliant with legislation requirements, and supporting innovation, such as new product development efforts. Moreover, with a closer alignment with the business goals, it would be easier to identify possible cybersecurity pitfalls in the roadmap and intervene earlier with less impact on the business.
Closer alignment requires a change of perspectives and company and cybersecurity leaders can facilitate it in several ways, such as running cross-department outcome-based meetings, developing skills or revisiting the reporting structure of the security teams. The way cybersecurity programmes are evaluated should also change, adding business metrics like risk management, compliance levels and Business Continuity metrics to the technical and activity-based ones used today.
Unlocking the cybersecurity team’s potential is among the most effective strategies to protect the business and make it flourish.
Vibin Shaju, VP Solutions Engineering EMEA, Trellix
We must remember that cybersecurity and Digital Transformation are not mutually exclusive. Security teams must realise that the business needs to be agile in order to respond to customer needs, competitors or macro-economic factors. But at the same time, business leaders must recognise the risk inherent in rapid change and heed the security team’s warnings when it comes to threats that the organisation must face.
The implications of this for organisations looking to stay focused on their roadmaps is that they should look outward, not just at consumers but at the threat landscape. And they should also consider looking inward, not just at products, services and operations, but at the potential risks of each. If you create something or change something that introduces a security flaw and that flaw is exploited to inflict damage, then how much value was really added? Staying with the roadmap can be paradoxically self-defeating without strong cybersecurity practices baked in.
Start with the basics: strong password policies, Multi-Factor Authentication (MFA), software management, network and endpoint monitoring and protection, and user access control. Be sure to enact the latest versions of these practices, as they have matured over the years, to match changes in IT suites and the threat landscape. With this strong foundation, organisations will find it easier to adapt to the escalations in volume and sophistication that cybercriminals are throwing at us right now. And they should be able to integrate modern approaches in the security industry that seek to address new behaviours among our adversaries.
What enterprises cannot do is accept their current security postures. Point solutions have stacked up over decades, creating a security suite that bombards analysts with red flags that often lead to dead ends and false alarms. Security teams are suffering from this alert fatigue, becoming jaded and demoralised so that when a genuine threat arrives, they cannot operate effectively. The answer is a unification of tools into a single pane of knowledge and response where threats are accurately visible, prioritised and remediated. These are the attributes of an XDR platform which is why it isn’t surprising that in Trellix’s recent Mind of the CISO research, 56% of organisations across the UAE and KSA stated that they already have XDR as part of their security strategy.
The digitisation roadmap has recently included cloud adoption for almost every business. In focusing on the roadmap, businesses should give due attention to the shared responsibility model. And they should find ways to integrate service providers into risk management rather than opting for sweeping technology overhaul. Defences should fit the operating model and infuse the latest threat intelligence so that an organisation, with strong fundamentals and risk management behind it, can get on with the business of business and have confidence in its threat posture.
David Boast, General Manager – UAE, Endava
The businesses that are most disrupted by cyberattacks are those that opt for a reactive, rather than a proactive approach to security. Akin to insurance, these organisations struggle to justify security investments and consequently delay making these until it’s too late. At this point, their IT teams are in the eye of the storm and are forced to shelve all other initiatives. Innovation understandably takes a back seat until the impact is contained and regular services restored. And because full recovery is never guaranteed, there is no set precedent for how long innovation could be sidetracked.
The far more sensible approach is to accept that cyberattacks are inevitable. Organisations should ‘shift-left’ – embedding security into every process, architecture and system from the onset. Making security a foundational aspect of the IT paradigm not only eliminates the inefficiencies, stresses and other shortcomings of the retroactive approach, it allows systems to be designed with useability in mind – whether for the operators of the system or the end customers. This largely eliminates friction, which can cause even the most well-intended measures to be circumvented and rendered redundant. The use of DevSecOps allows for this and ensures it is factored in throughout the whole product delivery life cycle.
Since even the best security infrastructures can be penetrated, the key to understanding how much the organisation should invest in shoring up its defences is to assess the potential cost of successful attacks and weigh that against the cost of the investment to protect. This is ultimately a gamble that will differ from company to company and vary depending on the services being offered.
Embedding security into every system isn’t a finish line either. As attacks are constantly evolving, so too must defences. Systems must be consistently and rigorously tested. Fortunately, CIOs today have a number of powerful AI and automation tools at their disposal. These allow issues to be detected before they are exploited, while advanced monitoring ensures events are rapidly identified and the appropriate alerts are raised. The more scenario planning and simulations organisations run, the better prepared they will be when attacks inevitably occur.
And since attacks are an inevitability, we all need to stay alert. With AI now being used as an attack tool, and as I write this, the advent of Quantum Computing on the horizon, the speed at which threat actors will be able to develop and modify their attacks will only increase with time. Firms need to invest in understanding the emerging threats that new technologies will bring. They need to be horizon scanning for these threats and making sure they have an appropriate risk mitigation strategy to avoid their CEOs being front page news for the next security breach.
On the bright side, if organisations are able to pivot their approach and build in security by default, they can confidently embrace the latest technology paradigms and accelerate forward with their Digital Transformation. It can even become a unique selling point to their customers and internal stakeholders, differentiating them in the market as an organisation that takes security seriously.
Click below to share this article
