At Lepide, I chat with quite a lot of customers, and there is a common sentiment that comes up; “we need a bigger security budget.”
I think everyone would agree that addressing the security problems of today requires the allocation of a sensible budget. However, I think that the main challenge is not the amount of money being spent, it is spending that available budget on the right things and in the right way.
Unfortunately, I think there is a lot of money being wasted.
I can see what the executives are thinking…we have spent all this money and we have still got the same problems we have always had! The reality is, you can have the best security solutions in the world and still have problems with security. But some of the most common issues we see can be easily fixed without any money at all!
Good security is all about asking the right questions. It’s about understanding the risks and the gaps. That simply doesn’t happen enough. Simply spending $1 million on a really fancy looking solution isn’t going to do the job.
Prevention is Better than Cure
When I spoke with Dominic Vogel, the founder of Cyber SC, he shared my concerns about the industry as a whole:
“So many security people see security in a very myopic way. So often it becomes about treating the symptoms and refusing to look upstream at the true root causes. A lot of these problems can be solved at the people layer, policy layer and process layer – stuff you don’t have to have expenditure to deal with.
“There’s definitely still this problem in the industry that people believe they need to add something new to the technology stack to be better. That approach, to me, is like whack-a-mole, we’re not solving anything there.
“Let’s look big picture. Let’s look upstream where that original problem is manifesting itself. Prevention is better than the cure.”
Unfortunately, this is very much easier to say than it is to do. In the security world, prevention isn’t very sexy. Certainly not as sexy as detection is. All those fancy solutions that send you real time alerts saying “we’ve detected an insider threat!” are much more tangible and shareable with the board than simply saying we have implemented zero trust to prevent unauthorized data access. Quite often, prevention is a bit boring.
Dominic Vogel agrees, “people view security as a function of IT, ergo the solution to our security problems must be technical. Quite often it’s not, it’s about implementing a process and a policy, like zero trust, might be a bigger part of the solution. Technology is vital to the process, but it’s not the full solution.”
! Buzzword Alert ! The Attack Surface is Increasing
The level of risk that companies are facing on a day to day basis is increasing dramatically, and threats are coming from different places. The rise in remote working and adoption of cloud collaboration tools, like MS Teams, present unique challenges for security teams with regards to maintaining appropriate access rights and spotting threats.
As of the time of writing, we’re also facing global economic challenges that mean budgets are more constrained. Records show that in turbulent economic times, fraud increases, making security absolutely vital. Organizations are going to have to figure out how they can assess their risks and how they can make sure they are choosing the right solution.
Where Data-Centric Security Plays a Part
Ultimately, where do you start? Most companies tend to start with perimeter defences. But why? Most threats nowadays come from within. The only security strategy that works is one that focuses on the data first.
We’ve talked about it so many times now that it’s almost a cliché, but companies still aren’t putting their data at the center of their security strategy.
To do this, you need to know where your most sensitive data is stored, you need to know who is able to access it, you need to know what your users are doing with it, and you need to know what security states in your environment are putting that data at risk.
Once you have visibility, you can make the correct decisions. Now, you can’t get visibility without technology. So, if you have a limited budget for security, the kind of technology you want to implement should be technology that focuses on providing visibility over sensitive data and user behavior. Once you have that visibility over the who, what, when, where questions, you can make better decisions on the access controls and security measures you need to implement.
If you’d like to see what Lepide does in this space, and how using the Lepide Data Security Platform can help you identify the current risks to your security and prevent breaches, schedule a demo with one of our engineers.