Balancing the security budget with managed services
Budgeting for IT has always been an uphill battle, with the boardroom tending to try and cut back on spending whenever possible, despite a driving desire for the competitive advantage strong tech investment brings. This is especially true for cybersecurity, which has always been hobbled by the difficulty in proving its day-to-day value. It’s only when an attempted attack occurs that the value of security investment overtakes the “it won’t happen to us” mentality.
We have finally seen a change in attitude in recent years however, thanks in part to a combination of high profile attacks dominating the headlines. Likewise, the EU General Data Protection Regulation, which will be coming into effect over the next two years, includes fines of up to four per cent of global revenue for companies found wanting after a data breach involving customer data.
Recent research by PwC identified a 24 per cent increase in global spending on cybersecurity over the last year, and we’ve seen clear evidence of increased efforts to detect and prevent attacks. The 2016 Trustwave Global Security Report includes data from breach investigations around the world, and found that 41 per cent were now being discovered internally via companies – more than double the 19 per cent of 2014. This means breaches were discovered by their own efforts, or those of managed security services partners, rather than relying on external factors such as law enforcement or regulatory bodies to uncover them.
Despite this progress however, IT heads will still need to fight to prove the ROI of their requested cyber spending. Simply highlighting the mounting risks of underspending is not enough – cyber strategies need to address these threats in the most cost-effective way possible if they are to pass muster.
Vulnerability scanning and penetration testing are two of the most important elements of good security strategy, enabling businesses to spot potential weaknesses and deal with them before an attack occurs. Being equipped with the capacity to perform in-depth scans on demand also makes a huge difference in a company’s ability to respond when a breach does occur.
Our research found that organisations who detected breaches themselves, either through their own resources or through a managed security services partner, were able to identify and contain breaches much faster than those relying on external factors. The median time from intrusion to discovery for internal detection was just 15 days, compared to 168 for those detected by external sources such as law enforcement or regulatory bodies. Likewise, incidents detected internally were contained in a single day on average, but those discovered externally took an average of 28 days. Every moment a breach goes undetected or uncontained can have huge repercussions on the business and its customers, so speed is essential.
However, effective vulnerability scanning can be very time-intensive. Different assets come with varying values and associated risks – while a low-value asset may only require scanning to identify potential threats, a mission-critical asset needs deeper testing to determine the ramifications of the actual exploitation of its vulnerabilities. When applications, databases and internal and external networks are all considered, this can make an effective operation-wide assessment a costly process. Likewise, real penetration testing requires skilled and experienced practitioners, leading to high overheads.
Managing the cost
As with many other business operations today, a managed service approach is one of the most effective ways of implementing vulnerability scanning without breaking the bank. In particular, managed security testing (MST) is perhaps one of the most reliable ways to deliver the bang for your buck, as it combines vulnerability scanning and penetration testing into a single package.
MST also illustrates how the chaining together of multiple vulnerabilities across multiple assets may clear an attacker’s path to the compromise of systems and data, providing a complete picture of security across the organisation’s systems.
Perhaps more importantly for IT heads facing a C-suite with a firm hand on the company purse strings however, MST also makes budgeting much easier and more flexible. IT security professionals will know they need to run security testing throughout the year, but how often can vary greatly as both threats and the business develop. Enlisting the assistance of a managed security services provider ensures that the skills and resources needed are always accessible on-demand, but allows the expense to be accounted for in a pre-defined budget each quarter.
This makes the financial side of the process much more predictable and transparent, removing a headache for both the security and the financial side. When threat levels are high, or a breach occurs, the last thing anyone in the organisation needs is a last-minute scramble to find the resources to keep the business safe.
About the Author
Lawrence Munro is Director of EMEA & APAC at Trustwave. He is a practiced security specialist with more than eleven years’ experience in IT, nine of them directly focussed on information security and penetration testing. He heads up penetration testing within Trustwave’s elite team of forensic investigators, researchers and ethical hackers, Spiderlabs, as Director for EMEA.
Holding a First-Class degree in Cyber Security and Computer Forensics, Lawrence previously worked as penetration tester specialising in web applications, Red Teaming and social engineering, and has built and grown multiple world-class security consultancy practices for leading firms including KPMG and HP. He was also responsible for building KPMG’s Red Teaming practice and has authored many simulated attack strategies for large enterprises. Lawrence has particular expertise within financial services, having created strategies for top-tier investment and high street banks, integrating their security assessment services into larger risk and threat models.
In his free time, Lawrence is studying part-time at Oxford University and is also regularly involved in the hacking community as a Director of B-Sides London.