Successful Cybersecurity Solutions Require More than Tools
I think we can all agree that the number of cybersecurity solutions available today can be overwhelming. It’s difficult for organizations to afford, integrate, and patch myriad cybersecurity solutions. We all know more is not always better, so is adding more tools really increasing your cybersecurity?
As we dig into this issue, let’s look at the data. The Cyber Resilient Organization Report found:
- The average enterprise uses 45 different cybersecurity tools on their network.
- At the same time, an enterprise’s ability to contain an active threat dropped by 13% over the past 5 years.
- Of the 3,400 enterprises surveyed, 74% said when it comes to incident response plans, they have “…no plan, ad-hoc plans, or inconsistency…”
Clearly, the results can be interpreted in many ways. For example, did the ability to contain drop due to an increase in the maturity of the threats? Or maybe we have more complex environments? More and more, organizations are realizing that adding more tools alone does not increase your cybersecurity, as these numbers suggest.
So how DO you improve cybersecurity? I’ve been teaching cybersecurity best practices workshops and courses for years, and I have always taught that creating holistic cybersecurity requires so much more than just tools. Tools alone are not perfect cybersecurity solutions, and tools alone will not solve your cybersecurity challenges. Let’s talk about why.
What do Successful Cybersecurity Solutions Require?
First, I have nothing against tools. Hardware, software, cloud-based – if I could spend the rest of my days setting up and configuring new network, project management, and productivity tools, I’d be happy. (Don’t ask me to do the maintenance phase – I enjoy the setup!)
We have so many great tools to choose from in the cybersecurity space right now, and I encourage you, if you have the budget, to carefully vet and choose those that will be most effective in your environment. There are many benefits from choosing today’s best of breed cybersecurity tools, but most organizations are finding it difficult to support and maintain them all. CIO.com spoke to a number of people in the industry and ask their thoughts on the proliferation of tools. It’s an interesting read. Many share the same concerns about ease of management, integration challenges, staffing expertise to manage the tools, and the ability to get holistic cybersecurity visibility from disparate tools. Make sure you don’t buy tools without having a plan to support, integrate, and maintain them. I’ve worked with too many enterprises who believe that buying tools is all it takes to build successful cybersecurity solutions. It’s not enough—you also need to invest in people, planning, and practice.
Let’s assume that you are looking for endpoint security. You’ve found the perfect tool; the vendor has helped you install it, and you are ready to go. You’re all set, right? Wrong. When the tool alerts on a potential threat, who is going to receive those alerts? Who is going to actually respond to the alerts? What is the schedule that person needs to be available? Is this in addition to other duties or is the new system their only duty? (Don’t answer that last one. I think I already know.) These are all factors you need to consider when designing successful cybersecurity solutions.
The most important part of any monitoring tool is the actual monitoring. If you don’t have people in place to watch those alerts, you may as well have no system at all. (Remember the Target breach?) We worked with a client several years ago who had a malware outbreak on their network infecting 100s of computers. In the process of investigating and containing it, we discovered that they had an Intrusion Prevention System (IPS) on their network that no one knew about. The IPS had been happily alerting on every piece of malware that came in, but the email address the alerts were going to was no longer active because that person had been laid off. In the end, we found 17 types of malware on their network that they could have prevented had they had people in place to monitor the alerts.
People don’t just monitor the system. They also need to “tweak” it. The first few months, in particular, are critical as you learn to recognize what is a false positive and what is meaningful alerting.
Planning and Policies
If a threat turns into an incident, do you have a plan for responding to it? Incident Response (IR) Plans don’t need to be complex. They need to be practical, understandable, and easy to find and follow in the event of an emergency.
At LMG Security, we often help organizations develop their IR plans, frequently as part of larger, holistic cybersecurity solutions. We step in to help organizations who are creating their first plan, and work with clients who already have plans to incorporate best practices. Your IR plan should be a living document that is revisited quarterly to ensure it is up to date with systems, contacts, and step-by-step action plans.
In my 25+ years in technology, the thing that I struggled with the most was documentation. I always had a plan for response, but it was in my brain. It wasn’t written down anywhere, and it wasn’t available to other members of the team. I find the same is true with our clients. If I ask them to tell me the order of priority for restoring critical systems on their network, or what type of data is stored on a specific server, they can tell me. When I ask them to show me where that is documented so that others know that, they cringe.
Documentation, policies, and planning are those things that always seem like they can wait while you handle day-to-day emergencies, until they can’t wait, and then it’s too late. In an industry where job tenure can be short, documented IR plans are a key part of strong cybersecurity solutions. Make time (or we can help you) to create an IR plan, policies around security, and document your infrastructure. Don’t forget to include non-IT personnel in your plan – C-level executives, legal counsel, communications, all have a role to play. You’ll need the plan someday, and you’ll be so glad you took the time. (Read more about cybersecurity BCDR planning.)
Once you have an IR plan, even if it’s only one page long, practice! You don’t want the first run through of your new plan to be in the middle of an active incident. Take time to try it. At LMG Security, we love to run tabletop exercises, a round table discussion where we create a scenario and walk you through your response based on your current plan. We’ll even throw in curve balls to give your team a chance to practice reacting to the unexpected. If this is not in your budget, you can also read our blog about the most crucial tabletop exercises and run them yourself.
The tabletop is an excellent place to discuss and update the plan to ensure it meets your needs. Often, something that made perfect sense on paper does not work in execution. You’ll also find situations or people that you didn’t consider when creating the document. Practice it, update it, and practice it again.
To sum it all up, all the tools in the world will not buy you sound cybersecurity if you don’t have the people, planning and policies, and practice that are integral in strong cybersecurity solutions. If you’re looking for more information, read our blogs on the ABC’s of cybersecurity, creating an effective cybersecurity plan, and growing your cybersecurity maturity.
Contact us if you need help with cybersecurity planning, testing, training, or policy development. Our expert team can help you refine and grow your cybersecurity program.