Last Updated on October 20, 2020
There is no shortage of organizations that have spent millions of dollars on information security solutions and still suffer data breaches, stumble over compliance and/or struggle with admin/process challenges. Likewise, there are still many companies with a “security through obscurity” strategy whose luck has somehow held up.
As COVID-19 continues to constrain budgets, every business needs to validate the ROI from its cybersecurity technology stack. Is “time to value” acceptable? Are you using the features you’re paying for? Are “care and feeding” demands offset by risk reduction or other benefits?
Bottom line: is your security investment worth it, especially right now?
On a recent episode of The Virtual CISO Podcast, host John Verry discussed ROI issues with fellow cybersecurity leader Reg Harnish. Reg is founder and CEO of the cyber advisory firm Slingshot Cyberventures, CEO of MSSP OrbitalFire and founder and former CEO of GreyCastle Security.
Reg calls out three widespread issues that hamper many InfoSec programs:
- The noise is deafening.
- Complexity is unmanageable.
- Trust is fleeting.
One: The noise is deafening
What noise is that, and how can teams address it? According to Reg: “The cybersecurity industry, like many other gold rushes before it, has become one of tremendous opportunity, great wealth and riches. And sometimes it didn’t really matter if your solution actually worked.”
Reg continues: “The market has become flooded with providers, manufacturers, vendors… and listen, snake oil, let’s face it. Decision–makers, CISOs and others who are faced with mounting issues caused by the pandemic, now it’s even harder because the sheer volume of solutions or people trying to get your attention is increasing… The industry is not doing buyers a lot of favors right now. I can’t tell you how many organizations I’ve run into where their marketing is better than their product. This creates issues for folks who truly want to commit to a cybersecurity program, and manage risk, and do the right things. It’s hard to even get started.”
John concurs: “I heard something like there were 12,000 different information security products on the market at any point in time, which is nuts. And the other problem you run into is people have a tendency to take a product-centric [versus risk-centric] approach to information security. When you ask them about their security strategy, they rattle off the products that they’re putting together.”
Two: Complexity is unmanageable
Complexity in information security is so common it’s cliche. Overlapping products, none of them fully implemented, result in gaps in coverage.
“Try to put a number on the ROI on any of your cybersecurity technology stack,” Reg challenges. “Often these products are large and complex. They take a long time to deploy. They require lots of care and feeding. And meanwhile you’re just kind of sitting back there saying, “Well, what did I get out of this? Was it worth it to me? Which is really the fundamental question that should be answered in a cybersecurity program—is it worth it?”
“You’ve got to talk about return on investment, and complexity is a major barrier to that,” Reg adds. “Look at a lot of the leading products out there, particularly these massive platforms. Even if you bought it, you’re probably only using 10%. You’re trying to bolt on Product X with Product Y and they don’t work very well together. Meanwhile, you just want to figure out a way to manage risk in the post pandemic world. Complexity is really making that difficult.”
Three: Trust is fleeting
According to Reg, the cybersecurity industry has trust issues: “It’s not just that there’s snake oil on the market. I think there’ve been enough folks who have made investments, done hard work and still failed. So they’re starting to ask themselves, ‘How do I trust this vendor? How do I trust a salesperson?’ Investors are asking themselves, ‘How do I trust my investments?’ I think industry-wide there’s a question mark on our approach.”
John amplifies the point: “I think there’s a big question mark on the industry, our approach, the solutions themselves, how we’re applying them, and what buyers are interested in doing, like how do we change the mindset? I think there’s been a real erosion of trust over the last five years or so.”
Does your cybersecurity program suffer from product complexity, an unfocused approach or a lack of stakeholder trust? For thought leadership on how to address these challenges and maximize the value of security investments, check out this podcast show with Reg Harnish.
To listen to the show in its entirety, and also scope our many other podcast episodes, click here.
If you don’t use Apple Podcasts, you can access all episodes from The Virtual CISO Podcast here.