Originally Posted by Forbes – via forbes.com – November 19, 2020
CEO & Co-Founder of CyCognito. Offensive security expert. Empowering organizations to find and eliminate the paths attackers easily exploit.
Around this time of year, many companies begin their process of reviewing and assessing short- and long-range plans and setting budgets for the coming year. Even for companies whose fiscal year is different from the calendar year, the last several months of the year have traditionally provided some time for reflection, where a natural question to ask is: How effective is our security spending? Some related but far more uncommon questions are: Where are we not spending, but should be? What is unaddressed or at-risk?
In many ways, huge security budgets can be justified given the enormity of threats and the severity of the consequences of not fully protecting an organization from motivated attackers. Of course, budgets and teams are finite, and more spend doesn’t always result in more security. Spending more also doesn’t necessarily mean you’ve spent enough in the right places. Take a few minutes looking at news stories of security breaches, and it’s obvious that they occur at organizations with very large security budgets.
Success is not determined by the total amount spent, but how the budget is allotted, which begs the question: Given our current security posture, what investments give you the greatest leverage? It’s easy to fall into an arms race mentality where everything already in place to secure the organization needs to be maintained or advanced, and there is little funding devoted to other areas. This kind of trap may seem to be an obvious case of shortsightedness. At a 10,000-foot level it is easy to see the flaws, but organizations rarely soar to such elevations for a big-picture assessment.
Sometimes when it comes to budgeting, the thinking and planning become compartmentalized. Cybersecurity budget owners naturally think in terms of how solutions, policies and procedures in-place today came to be originally, how they have steadily evolved and where they need to go next. This kind of incremental progression — the continual improvement of existing security measures — helps justify not upsetting the proverbial apple cart, but it often constrains the budgeting focus to what is already in place. While focus is good in general, you run the risk of being successful at continuous, incremental improvements at the expense of getting blindsided by unseen security weaknesses that developed in the shadows over time.
In other words, budgetary thinking is often driven from the inside out, from the viewpoint of defenders who think in terms of incremental, bottom-up improvements, and not from the perspective of would-be attackers who have a risk-reward orientation. Organizations may expand their budget review process and decision-making criteria with considerations of possible CAPEX and OPEX savings, how to deal with limited headcount, ROI improvements and new solutions only through the narrow lens of what they might replace. Those are all considerations that might modify existing security, but they don’t prompt organizations to consider doing something substantially different.
As a result, organizations should ask: What am I not addressing? Some budgeting and evaluation should be done from the viewpoint of an attacker and how they look for your blind spots, which are the paths of least resistance into your organization. For example, an asset or element that is generally unknown to the security group — and maybe even the IT team — would be a blind spot that remains unmonitored and unprotected. “Unknowns” in this context are the assets and risks in your extended IT ecosystem of which you are unaware, including web applications, remote access servers and VPNs, software development platforms, etc., that you do not own or directly manage, but which are connected to your organization. Cloud, partner and subsidiary environments are common places to find such unknowns.
In today’s fast-paced, dynamic organizations, it is easy to see how such things could exist. While most security leaders and CSOs would admit that being blindsided keeps them up at night worrying, very little security planning and budgeting is allocated to addressing that deficiency. More specifically, most budgeted security solutions are designed to monitor and protect known users, systems, applications and infrastructure. Very little budget gets devoted to monitor and protect what is unknown. Even the budget spend around security testing, vulnerability assessments and asset management services or procedures revolves around what is known. Because so little is invested in finding and testing the unknowns, those assets are usually the main targets for attackers.
Practices, solutions and services for uncovering previously unknown and unprotected assets, especially those that extend an organization’s attack surface and add risk, should be added to reviews of short-term and long-term security plans and budgets. Organizations need to devote some of their security evaluation, planning and budgeting from the vantage of a would-be attacker. Most, if not all, evaluation, planning and budgeting is done from the organization’s own perspective, which is generally an inside-out view of the world. The reverse outside-in view is critical to ensure that security leaders avoid a myopia that will inevitably prove disastrous.