Last Updated on January 16, 2024
Efficiency is extra critical when you need to squeeze every dollar. But when it comes to cybersecurity, many orgs aren’t getting all they’re paying for from their current security investments.
To share his unique viewpoint as a CISO, industry leader and cybersecurity business owner on managing security in an economic downturn, John Verry, Pivot Point Security CISO and Managing Partner, recently recorded a special “solo” episode of The Virtual CISO Podcast to brief SMB security leaders.
Doing more with more
When it comes to security investments, many orgs lose value by not turning on or leveraging useful features in the tools they’re paying for. Many firms also hamper their progress by using security tools ineffectively or improperly, even to the point of creating vulnerabilities.
For example, many SMBs start getting solid value quickly from cloud-based security information management (SIM) tools. But if you don’t invest resources in updating the SIM as your environment constantly changes, that value will erode and holes will open up in your controls, under cover of a false sense of security.
Another example of “doing more with more” is taking full advantage of all the cool security capabilities you get with Microsoft 365, like Microsoft Defender Antivirus, Microsoft Defender for Endpoint, multifactor authentication and even more.
Yet, says John, “It would be a rare occurrence that we would work with a client that has most of that technology deployed optimally. In fact, very often they’ve got other [tools] deployed [that do the same things].”
In other words, a lot of SMBs are failing to use the security tools they’re paying for and wasting money on redundant technology at the same time.
A cautionary tale
John relates a story from a client engagement with a government agency, which sought a penetration test for attestation purposes. The agency was confident that their environment would pass with flying colors, because they ran vulnerability scans weekly. But testers devastated their assets in minutes.
How could this be? It came down to “user error.” Whoever had configured the scanner had checked “fast scanning” because, hey, fast is good, right? But that only scanned the standard ports. Meanwhile, many services intentionally configured for security reasons to run on non-standard ports had been highly vulnerable for a considerable time.
When you’re ready to hear this special briefing with John Verry from start to finish, click here.
Do you have a “security strategy” that looks great on paper but isn’t quite happening in the real world? This post can help: Operationalizing Your Information Security Strategy