Why improving SecOps can save you money
Security operations is a critical element of the enterprise technology environment – but it can sometimes be left behind as organizations focus on adopting the latest technology solutions.
In a year like 2020 where there is so much change in the way work is performed and technology is delivered, security operations (or SecOps) can simply be left to the side – not getting the investment it needs.
SecOps is rarely neglected on purpose – it is more a matter of resources, where organizations small and large put security concerns on the backburner, instead spending funds to invest in new technology, or something else.
But that can be a counter-productive approach, as ignoring or neglecting the threat landscape can turn out far more costly than a modest and sufficient investment in SecOps. In other words, improving your SecOps can save you money – keep reading to find out why.
Content:
1. SECOPS IS BECOMING INCREASINGLY CRITICAL
2. The clue is in the numbers
3. A lack of concern and preparation
4.THE RISKS AND COSTS OF NEGLECTING SECOPS
5. Real-world examples of costly breaches
6. A breakdown of the risks
7. WHAT YOU NEED TO DO TO GET SECOPS RIGHT
8. FIX YOUR SECOPS, SAVE MONEY
SecOps is becoming increasingly critical
Technological improvements carry a range of benefits – new features, higher efficiency, and so forth. Yet technology can be vulnerable to security flaws, and the more an organization relies on technology the more vulnerable it becomes to malevolent actors that try to take advantage of these vulnerabilities.
The clue is in the numbers
It Is not difficult to find evidence that points to an explosion in vulnerabilities. Consider the numbers quoted on the National Vulnerabilities Database. Through the last ten years, the vulnerabilities reported every year has hovered from 4,000 through to 8,000 per year.
But that changed rapidly – and it changed roughly around 2017. That year alone, there was a huge spike in the vulnerabilities that were reported – it reached 14,000. This high level was maintained in subsequent years and in 2020 more than 18,000 reports were made.
Every one of these vast numbers of vulnerabilities can lead to a possible breach. After all, cybersecurity company Imperva suggests that nearly half of the flaws found in software have an exploit that’s available to the public – and available to hackers.
That includes more than 170 vulnerabilities found in the Linux kernel in 2019 alone. It’s not just a matter of statistics: there is a real risk associated with each of these vulnerabilities, even where an exploit is not yet public.
A lack of concern and preparation
It’s clear that IT security issues and vulnerabilities are becoming a larger and larger problem. Take this report, for example, which shows that computer security threats grew fast right through 2020. Organizations can find it difficult to keep up – in part because SecOps is just one more demand on a finite pot of IT resources.
It is also true that for many organizations security risks are invisible risks – the state of cybersecurity only becomes a visible problem once a breach has occurred, and once a visible loss is suffered. It is a dangerous money-saving approach and it comes down to gambling on being lucky enough to avoid getting hacked.
With threat actors increasingly using automation to try and find vulnerable organizations this gamble is ill-advised. Often it is not even a matter of resources, in fact, it is merely that cybersecurity strategies are ignored.
Here is a simple example. The Ponemon Institute found that 60% of the victims of a successful cyberattack were victim because of an avoidable error: failing to patch a known vulnerability which had a perfectly effective patch.
There are several reasons why an organization’s cybersecurity posture can be lacking in key aspects:
-
- Available tools just aren’t used. Mitigating against a large swathe of cyber threats can effectively be accomplished using commonly available tools. From network and application firewalls to automated penetration scanning and live patching. Yet due to a lack of awareness or simply a lack of effort these tools are sometimes not deployed.
- Leadership that is missing in action. Why are widely available, obvious tools not used? Often this is due to missing leadership – where C-level executives simply never push a security-first agenda across the organization. This can sometimes happen because executives see cybersecurity as a remit of the IT department only when, today, SecOps is an organization-wide issue.
- Conflicting priorities. Technology departments can fail in their cybersecurity obligations in part because tech teams are tasked with the availability of IT. Not so much the restriction of IT. In other words, the restrictions implied by IT security efforts can frustrate efforts to roll technology solutions out and to make technology accessible.
- Efforts are not thorough. In all fairness, many organizations make a solid effort to protect against cyber threats, but often cybersecurity activities are simply not thorough enough. Yet All it takes is one small slip for hackers to seize an opportunity. Again, tools including automation can help make a solid effort a thorough effort.
- Cyber-secure culture is missing. One of the key elements of a thorough cybersecurity effort is the mindset of the employees working at the organization. In other words, SecOps becomes far more effective if everyone works together, with the importance of cybersecurity always front and center.
It is not that organizations ignore the threat of cybersecurity, but a lack of resources, clashing priorities, and leadership that’s not sufficiently focused on cybersecurity can all work in concert to mean that SecOps doesn’t get treated with the necessary.
The risks and costs of neglecting SecOps
Some of the reasons outlined above tie in strongly with cost management – and cost management is not an unreasonable priority. But the risks created by neglected SecOps can have very real costs that are much larger than the money saved by trimming SecOps budgets.
From the direct losses realized by a cyberattack through to reputational damage and costs related to failed compliance, the costs of a breach can be huge.
Real-world examples of costly breaches
It is summarized clearly in the 2020 IBM Cost of a Data Breach Report – the company found that the typical cost of a breach is USD 3.86m, while companies typically spend up to 280 days to try and identify and contain a cyberattack.
Before we break down the possible risks and costs of cyber breaches, let’s take a look at some real-world examples that illustrate how organizations can end up spending vast sums to remediate a cyber breach.
First, in 2019, Capital One suffered a cyberattack that involved more than a hundred million Capital One customers. The cost, for Capital One, was estimated to be over USD 100m, and as much as USD 150m.
Another incredibly expensive example involved Yahoo where in 2016 the company had to admit that hackers breached its cyber defenses. This single attack affected more than three billion Yahoo accounts and the data that was stolen ranged from names to birth dates and contact details.
When Verizon later purchased Yahoo the company paid hundreds of millions less than it would have due to the reputational damage done to Yahoo.
Expensive cyberattacks affect companies around the world – another example is British Airways who had to apologize to 500,000 of its flyers when a piece of third-party JavaScript used by the company meant that a hacker could gain illicit access to British Airways’ systems. While the airline had to pay USD 25m in fines, the reputational damage was far greater – including the loss of revenue.
A breakdown of the risks
It is not just a matter of something valuable being stolen in a breach – the risks of a cyber breach go far beyond that. Here are just some of the key problems companies face when they fail to take SecOps seriously enough:
- Immediate costs. Fixing a successful cyber breach can be prohibitively expensive, as we illustrated in the previous section. It is not just the damage to tech resources that must be repaired – an organization’s public profile also requires repair and the costs of doing so can be astronomical.
- Loss of revenue. A poor public image will hit revenue, adding to the loss of revenue experienced during and just after an attack. Over and above any fines or legal consequences, lost revenue can quickly outweigh the cost savings made by trying to minimize SecOps expenditure.
- Compliance and legal risks. Various pieces of legislation act alongside compliance regimes to ensure that organizations keep customer data safe. A cyber breach can lead to severe legal and compliance implications – and, in some cases where regulations are particularly strict, an organization can lose its ability to do business entirely.
One successful breach can all add up to a sum of money that completely exceeds the investment required to run a consistent, complete, and solid cybersecurity operation. Will this breach ever occur? That is a different question – but the risks are nonetheless very real and present.
What you need to do to get SecOps right
First and foremost, trying to save money by cutting cybersecurity budgets is never a good idea. We have comprehensively illustrated how cyber-attacks can be incredibly costly – to the extent that an organization ceases operations.
It is essentially a false economy, a saving that is nothing but an illusion. Good SecOps is not prohibitively expensive, so the most important part is to get the SecOps budget right.
Well-funded SecOps is, of course, both a strategic and a practical matter. Here are a few strategic points you need to get right for cyber-secure operations:
-
- Dedicated teams to operate SecOps. We mentioned earlier that leaving cybersecurity to IT teams can create conflicting objectives. To ensure that cybersecurity and availability never conflict it is worth ensuring that SecOps is ringfenced – if possible, by dedicating a team to cybersecurity alone.
- Red and blue teams. For the most thorough approach to cybersecurity, it is worth considering splitting up the (red) team members that focus on testing and challenging cybersecurity, from the (blue) team members that mount defenses. It is a more robust way to operate SecOps.
- Work with C-level execs. Secure operations are best inspired from the top, by involving senior executives in SecOps you can ensure that the leadership and culture that drives consistent cybersecurity practice propagates from the most senior levels all the way down.
- Get help. The complexity of cybersecurity has grown to the extent that internally resourced expertise is unlikely to cover you in every respect. From external tools right through to cybersecurity consultants, consider investing in external expertise to harden your SecOps.
That said, SecOps is not just about strategy. SecOps is essentially a practical matter, and we suggest you direct funding to ensure that you tick the following SecOps tick boxes:
-
- Effective management. Understanding what technology is deployed and managing it effectively is a key SecOps goal – catalog your IT estate and build an understanding of where the potential risks are.
- Invest in a SOC. A security operations center (SOC) is an addition to your security team that helps you monitor and react to cyber threats – harnessing real-time information and visualization tools to detect threats. Tight SecOps should keep many attackers out but flagging an attack in progress is just as important – the faster you detect an intruder, the less chance you will suffer any losses of real consequence.
- Resource your efforts. Whether it is headcount or investing in security applications, your SecOps will only perform well if your organization puts enough cash behind it. A relatively modest investment in practical, day-to-day resources can keep away extremely costly breaches in the future.
- Consistency in process and policy. Concerning leadership and cyber-secure culture, consistency in an organization’s processes and policies is another key, practical step, as consistency eliminates windows of opportunities.
- Patching continuously. Finally, one of the most important practical aspects of SecOps is consistent, continuous patching that ensures that vulnerabilities are closed as soon as they are discovered. Live, automated patching where possible will help with patching continuity – and free up IT team resources for other purposes.
These strategic and practical measures will boost your SecOps – without breaking the bank.
Fix your SecOps, save money
It sounds like a strange argument at first. After all, boosting cybersecurity operations will require a lift in expenditure. However, we have made it clear how security risks can turn into very costly breaches.
There is a chance that your organization never suffers from cybercrime, but that chance is increasingly slim if your organization does not run fit, optimal SecOps. Instead, spending too little on cybersecurity increases your risk so much that chances are your organization will spend more cleaning up a cyber breach than it ever would have spent on SecOps.
So, allocate the funds you need to and use all the cybersecurity tools at your disposal – from leadership and culture to software tools such as vulnerability scanners and live, automated patching.