In the cybersecurity industry, where new “must-have” products frequently hit, companies can be swayed into spending unnecessary money on products that widen their attack surface and deliver minimal value.
Techopedia spoke with Reuven Aronashvili, CEO of CYE, which has served Fortune 1000 organizations for over a decade, about security spending and the benefits of optimization during economic uncertainty.
He is certified by the US Department of Homeland Security as a world-class ICS and SCADA cybersecurity expert and a founding team member of the Israeli Army’s Red Team (Section 21) and Incident Response Team.
Q: The culture of panic-buying is prevalent in the cybersecurity industry. What impact does this have on security leaders and organizations?
A: It’s no secret that many cybersecurity vendors use fear, uncertainty, and doubt (FUD) as selling tactics for their products and services. They create a sense of urgency, leverage “scary” industry statistics about the increase and severity of threats, and often claim their offerings can protect you from “the next big threat.”
Organizations of all sizes and across all industries are susceptible to falling for these marketing tactics. Still, those with minimal security know-how or minimal staffers dedicated to security may be more likely to engage in panic-buying.
Not only can panic-buying waste time and money, but it can also endanger the security of your organization.
Another important consideration becoming more relevant is the changing role of the Chief Information Security Officer (CISO). Over the past year, we’ve seen the CISOs of both Uber and SolarWinds face serious legal consequences, such as fines in the tens of thousands and potential jail time for security incidents at their organizations.
As security leaders are held increasingly responsible for the security goings-on at their companies, it’s critical that when they invest in a product or service, that purchase decision is made based on added value… not panic.
Panic Buying in Cybersecurity is Going to Cost You
Q: What are the consequences of panic-buying in terms of cybersecurity spending, and how can they potentially cost organizations millions?
A: Buying cybersecurity tools in the first place is no cheap endeavor. They can cost hundreds or even thousands of dollars each month. Large organizations have an average of 130 products in their cybersecurity stack, often adding up to a seven-figure spend each year.
When you add panic-buying to that equation, a few more things come into play. Not only do you have the original (likely hefty) sticker price to pay, but when making a decision based on fear rather than merit, you increase the risk that whatever tool you’re purchasing either overlaps with capabilities you already have or doesn’t correctly configure with your current assets.
- The World Needs 4M More Cybersecurity Experts — Now
- The Best Cybersecurity Certifications for 2024
- The Best Cybersecurity Schools and Classes
Those redundancies use up unnecessary funds and resources. Network misconfigurations have been calculated to cost organizations up to 9% of their overall annual revenue.
It’s also important for security leaders to remember that any product they add to their technology stack ultimately expands their attack surface for a bad actor. This doesn’t mean you shouldn’t invest in cybersecurity products—you absolutely should.
It just means security leaders should recognize that they’re potentially opening another door for attackers and ensure that whatever product they’re investing in is worth taking on that risk.
The messaging around “it’s not ‘if’ you will get hacked, but ‘when'” is a cliche for a reason. Security leaders should treat security incidents as inevitabilities and ensure that the tools they’re investing in don’t drastically increase the likelihood or potential impact of an attack.
Q: What challenges do security leaders commonly face when trying to assess the true value of their cybersecurity tools?
A: Knowing where to start is the most common challenge I see security leaders face when trying to assess the value of their cybersecurity tools. Whatever you do, don’t wait until you’ve been hit with an attack to know your tools are misconfigured or subtracting value.
Again, looking inward is the first step in identifying which tools are valuable and which aren’t. If you don’t have full visibility into your security stack, you can’t truly calculate the value of the tools you have now and the tools you’re looking to invest in.
Risk = Likelihood x Impact
Q: What strategies or best practices can organizations use to gain better visibility into their existing cybersecurity tools and calculate their value effectively?
A: There are a multitude of vendors and products on the market that specialize in helping organizations gain a full picture of their cybersecurity assets. There are several free, open-source tools available to help with this visualization and mapping, as well as paid network scanners and cyber security asset management (CSAM) tools.
Yes, there may be additional monetary spend required, but cyber asset management and cyber risk management tools ultimately are the keys to showing you what you have and providing you with the best possible information to secure your tools. They also have the added benefit of providing information that’s critical for CISOs to have when they go to the board for budget requests.
The formula I’ve used and recommended time and again for calculating the value of cybersecurity tools is “Risk = likelihood x impact.”
Likelihood refers to the probability that an attack or cyber incident will take place. A couple of factors you can consider when determining likelihood are the exposure of your assets and the degree of difficulty of an attack.
Determining those factors, in addition to your organizational risk, should be achieved by accurately mapping your attack routes – this goes back to understanding your tools’ cyber relationships to one another and knowing what hackers would prioritize to get the most direct line to your critical business assets.
Once you have likelihood and risk determined, you can solve for value. If your organization has determined that its acceptable risk is $10 million, and the likelihood of an incident or attack is 20%, then the impact of an attack would be $2 million.
As an example, if a company was attempting to calculate the value of a cloud security tool they have in their security stack, they could calculate the value by removing it from their toolset and seeing if the likelihood of an attack increases.
If it were to increase to 30%, resulting in an impact of $3 million, they know the value of that cloud security tool is $1 million. From there, discussions should be had about whether that investment is worth keeping on or if the company can accept an additional $1 million in risk and remove the product from their stack.
Optimizing Cybersecurity Spending
Q: How can organizations optimize their security spending during times of economic uncertainty, such as heading into 2024?
A: The one thing I hope security leaders will go into 2024 — and all future years — knowing is that optimizing your security spend doesn’t have to be a guessing game.
My biggest piece of advice for security leaders looking to optimize their budget (especially during a time of financial strain) is to gain full visibility into their cybersecurity stack and validate that the tools they already have are working how they’re supposed to.
The worst that happens is you identify and get rid of tools that aren’t providing the necessary value — thus saving you money — or find gaps that you need to fill and use that audit to justify asking for an additional cybersecurity budget the following fiscal year.
By conducting that audit and looking inward, security leaders will also gain a deeper understanding of what their tools’ cyber relationships are with one another. Mapping those relationships can help security leaders identify which tools have a direct line to their most critical assets and prioritize remediating any gaps that could directly harm those core puzzle pieces of their business.
Q: How do you see the future of cybersecurity spending and optimization evolving?
A: Cybersecurity spending will undoubtedly continue to rise as threat actors become more sophisticated. Gartner predicts that in 2024, end-user spending on security and risk management is projected to total $215 billion, an increase of 14.3% from 2023.
It’s hard to say whether organizations will take up optimization more in the future, but a silver lining to times of economic uncertainty is that it may force optimization to become a first step in the budgeting process, rather than be a last resort.
Security leaders should continue to take into account the changing role of the CISO and the increasingly complicated threat landscape as they look at budgeting and optimization. As emerging technologies like artificial intelligence and quantum computing continue to take a front seat, they should make sure they have the tools—and personnel—required to adequately handle the threats posed by these technologies and strategically invest in products that fill their security gaps based on decisions driven by value-add, rather than panic.
About Reuven Aronashvili
Reuven is a cybersecurity entrepreneur and a national cybersecurity expert. As a founding team member of the Israeli army’s Red Team (Section 21) and Incident Response Team, Reuven is extremely passionate and knowledgeable in all things cybersecurity.
His expertise is in designing and developing innovative security solutions for governments and multinational organizations around the globe.
He is a trusted advisor to executives in leading Fortune 500 companies.
Reuven is also certified by the US Department of Homeland Security as a world-class ICS and SCADA cybersecurity expert.
Reuven completed his Master’s degree in Computer Science from Tel-Aviv University as part of an excellence program during his military service.