Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
Introduction
I am a staunch advocate of the consideration of human behavior in cybersecurity threat mitigation. The discipline of behavioral ecology is a good place to start. This subset of evolutionary biology observes how individuals and groups react to given environmental conditions — including the interplay between people and an environment.
The digital world is also a type of environment that we have all ended up playing in as computing and digital transactions become ever-present in our lives. By understanding this “digital theater,” we can determine a best-fit strategy to produce an effective cybersecurity play that optimizes security budgets.
Why having an effective strategy is important
I’ll offer up an example from nature to show the importance of an effective strategy. You may read this and wonder what it has to do with cybersecurity, but bear with me.
Starlings feed their chicks with leatherjackets and other insect larvae. During nesting season, the starlings work hard finding food and relaying it back and forth to the nest of chicks. If you’ve ever observed any bird during this season, you might have noticed by the end of it, they have lost feathers and look pretty beat up. But the sacrifice is important: effective feeding of chicks will produce fledglings that then go on to reproduce. Reproduction is seen as a success in evolutionary terms.
However, starlings are capable of carrying more than one leatherjacket in their beak. The more they can carry, the fewer trips they need to make. Fewer trips mean the parent starling is less likely to fall foul of bad health or predators. However, there is a tradeoff. To find the leatherjackets, the starling has to forage. Too many leatherjackets in the beak and it becomes harder to forage. The optimum number of leatherjackets is a trade-off between the number of trips and foraging efficiency.
Any strategy that plays out in the real world is a balance: a trade-off between what seems to be optimal and what is strategically efficient. The starling could try to cram lots of larvae into its beak and this might seem to be a show of capability and a great strategy, but in the end, it would just be a piece of theater.
In evolutionary biology, this balance is known as an Evolutionary Stable Strategy, or ESS. In nature, this would be a strategy that confers “fitness” so an organism can reproduce at an optimal rate. The concept behind an ESS also applies in cybersecurity, where fitness is also about finding a best-fit strategy for a given environment.
Security, like feeding chicks, is about knowing how to use the right tools for the job in an optimal manner and not just for show. This creates a fine balance that can help optimize a security budget.
Security and trade-offs: A complex equation
Enough of the biology lesson! Back to cybersecurity. The security industry, like most industries, has a culture. This culture has informants, people in your company who influence decisions and people outside such as vendors who sell security products. The result can be an overwhelming cascade of information. This can lead to decisions that are based on less-than-optimal input.
Back in 2008, security man extraordinaire Bruce Schneier wrote a treatise entitled “The Psychology of Security”. In this, Bruce talks about how security is a tradeoff. He goes on to explain how these trade-offs, which often come down to finding a balance between cost and outcome, are actually much more nuanced. Bruce says that asking "Is this effective against the threat?" is the wrong question to ask. Instead, you should ask "Is it a good trade-off?"
Security teams can be put under enormous pressure to “do the right thing.” An example is the recent ransomware attack on Garmin. If you are being effectively held hostage by malicious software that prevents your business from running, you have to do something and quickly. Garmin is reported to have paid the ransom of $10 million.
But was this a shrewd move? Was the trade-off between business disruption and hope of a decryption key a balanced one? When making that decision, there are multiple considerations. Can the company offset the cost of the ransomware? Will the decryption key end the attack or have the hackers installed other malware into the company’s IT system?
Security systems, like biological ones, are reliant on making good trade-off decisions to move the needle of security towards your company’s safety.
Back to basics to optimize security trade-offs
Security can be a costly business. Solutions, services and platforms all need to be costed and maintenance and upgrades factored in. And the choice is astounding. In terms of just startups in the cybersecurity sector, there were around 21,729 at last count. The amount of spending on cloud security tools alone is expected to be around $12.6 billion by 2023.
Getting the balance right is important. An organization must cut through the trees to see the wood. In doing so, the balance of financial burden against cyber-threat mitigation can be made.
Going back to basics is the starting point. There is little point in putting on a security show with the latest in machine learning-based tech if you misconfigure a crucial element so the data becomes worthless. At this point in history, machines are nothing without their human operators. We have to get back to basics, build a strong strategy and culture of security before layering on the technology.
The basics, human factors and a great security ESS
Weaving this together we can ensure optimization of a security budget through an awareness of strategic security considerations, e.g.:
The basics
The fundamentals of security are covered by several frameworks and general knowledge of Operations Security (OPSEC). Frameworks such as Center for Internet Security (CIS) and NIST-CSF set out basics for a robust cybersecurity approach. These include knowing what assets (both digital and physical) you have and how to control access.
The human factors
Cybercriminals place a focus on using humans to perpetrate a cyberattack. This is inherent in the popular tactics of social engineering, phishing and other human-activated cybercrimes. Employees, non-employees (e.g., contractors), supply chain members and so on all need to be evaluated for risk. Mitigation of the risk levels can be alleviated using several techniques:
- Security awareness training for all: Teaching the fundamentals of security is an essential tool in a cybersecurity landscape that focuses on human touchpoints. But security awareness needs to be performed effectively. Some training sessions feel more like those old-school lessons that ended up with snoozing students. Modern security awareness is engaging, interactive and often gamified.
- The issue of misconfiguration: It isn’t just employees clicking on a malicious link in a phishing email that is cause for concern. Loss of data due to misconfiguration of IT components cost companies around $5 trillion in 2018 – 2019. Security awareness training needs to extend to system administrators and others who take care of databases, web servers and so on.
- Patch management. Like misconfiguration, ensuring that IT systems are up to date can be the difference between exposed data and safe data. This process has been complicated by the increase in home working. But this fundamental piece of security hygiene is as vital as it ever was.
Never trust, always verify
The concept of zero-trust security has highlighted the importance of robust identity and access management (IAM). The idea behind this tactic is to always check the identity of any individual or device attempting to access corporate resources. Zero trust defines an architecture that puts data as a central commodity and trust as a rule to determine access rights.
A great security ESS
The Darwinian theory of survival of the fittest is a commonly misunderstood idea. Being “fit” is not about having the best show on earth. A “best fit” is about something being optimized for a given environment. In the natural world, this may mean that an animal has fewer offspring, allowing them to focus resources and giving the offspring a greater chance of survival. In the digital world, the idea of finding an optimal strategy is also vital to survival.
Optimizing how we approach security is about finding the best trade-off between cost and risk. To build better security, an organization cannot rely on security tools alone. Instead, the system that requires protection must be understood as a whole and as a complete environment, one that requires a stable strategy to perform optimally.
Sources
- The Psychology of Security (Part 1), Schneier on Security
- Garmin may have paid hackers ransom, reports suggest, ComputerWeekly.com
- The 20 Best Cybersecurity Startups To Watch In 2020, Forbes
- Cloud Security Spend Set to Reach $12.6B by 2023, DarkReading
- CIS Center for Internet Security, CIS
- Cybersecurity Framework, NIST
- Misconfigurations Report 2020, DivvyCloud