If you lived in Venice, you probably wouldn’t buy a super-yacht to use as a simple canal boat. It would be too big and cumbersome for navigating the narrow canals. It would be an even worse idea if you didn’t know how to drive one in the first place.
Yet despite this logic, hundreds of enterprise-level organizations spend enormous sums of money on security systems they don’t know how to use and don’t fit into their business environment. This thinking is fundamentally flawed and needs to change.
Granted, many of these security systems are great products. Sometimes they’re some of the best on the market. This is what attracts organizations to buy them in droves. But despite being great products, the full capability of these systems is hardly even utilized.
This is often down to a combination of poor knowledge of these systems’ full capabilities, or a failure to comprehend just how much work is going to take to implement these systems and keep them running.
Flaws in Implementation
When purchasing any big name cybersecurity system, particularly those that come with mandatory hardware, enterprises must understand that these systems aren’t easy to implement.
This is because they require business-wide coordination and highly-advanced, often uncommon skill sets to be implemented and used correctly. This is something that takes far longer than a few days and can require the hiring of on-site experts.
Building out use cases, updating the technology in your company, and getting it ready to face potential risks all take a lot of time and skill - likely weeks or months. This is why on top of any security systems price-tag there’s also the cost and time with the maintenance and ongoing running of the system.
After all, you wouldn’t buy a smart surveillance system for a business and then leave it entirely unmanned, unreliably powered, and with the footage poorly stored. All of these elements would add to the initial cost.
The skillsets of your team have to be fully assessed. This is essential for making sure your security system is configured, not just so that it’s online, but that it’s optimized to make full use of its abilities. This, again, is not easy and isn’t solved by buying a well-known product.
Without taking the time to fully understand the breadth of your team's abilities, you may find that even a team of experienced veterans may be out of their depth when confronted with your new technology, or have never worked on an implementation of this scale.
Likewise, if a security product isn’t 100% compatible with your core business systems - whether that’s your cloud, your phones, or your operating systems - then you will find yourself subject to countless inefficiencies.
Technologies like behavioral analytics, endpoint detection and response (EDR), AI-driven solutions, deception technologies, and even high-end surveillance all fall prey to these mistakes.
EDR solutions are common in large enterprises, but only a small amount are making use of managed detection and responses. The rest are bypassing deeper investigations and collecting events on the EDR, akin to having access control that isn’t fully connected to an enterprise's network. Some companies are even beginning to pay in secure cryptocurrencies and blockchain-based assets, which are still not totally understood by businesses.
The technology might sound amazing when it comes to detecting and eradicating threats, but if your security team is under-resourced then they will be unable to maintain or operate it properly. You’ll be purchasing a system that is destined to be a waste of money.
No Security Framework
Enterprises that do not have complete business justification for buying a security solution fall victim to these kinds of errors all the time. They may have identified an immediate need, or they may be seduced by the idea of having a “magic pill” for keeping them protected, but they never actually did the groundwork of finding out if that product was viable for their business ecosystem.
Ensuring your enterprise is protected means you must absolutely adopt effective practices such as utilizing security protocols like firewalls to keep undesired files from breaching your network and an enterprise-level VPN service to create an encrypted tunnel for IP traffic to flow.
But it also means you will need a business partner or in-house team that can review threats and take immediate action. Without this, your system is lifeless. And to get full value out of any security system - whether cyber or physical - enterprise-level organizations should always start by putting together a framework to guide your implementation process. In cybersecurity, this is referred to as a security maturity framework.
This helps your organization understand where its ability to defend against common cyberattacks. It assesses strengths and weaknesses and provides you with a clear development path. You want to start by taking a look at your risk tolerance - the lower it is, the more you will need to mature your security.
Although this framework sees the most use in cybersecurity, it’s something that has essentially seen use across security in general. For example, many enterprises have long since migrated their video surveillance systems from VHS CCTV to more reliable IoT-based systems. This is an intelligent response to improved technologies that also bring with them more effective security threats.
By building a strong framework you can allow your business to accurately assess its needs and capabilities while assessing the realities of the threats in the market. This is increasingly effective when there is a baseline model of proven security in your industry. Having access to a framework allows you to avoid the flawed thinking of enterprises that purchase huge but ultimately ineffective systems.
A Poorly Thought Out Solution is No Solution at All
In closing, the flaw in enterprise thinking is that it is looking for a solution without understanding itself or the problem it is facing.
As long as enterprises fail to understand the capabilities of their business, the ecosystem in which any security system will thrive (or flounder), and the nature of the threats their business is like to face - then they will continue to waste their budget on security systems with impressive names and price tags, but unimpressive results.
About the Author:
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.
