Cybersecurity budgets are increasing, as are the cost of data breaches

Every year more organizations become subject to new or updated regulations. As a result, regulatory compliance has become a major driver of security investment. However, mandatory compliance can be a double-edged sword. We expect the mandated controls to improve the overall security posture of an organization. But is this just a checkbox exercise or are programs truly formalized and effectively managed?

In a recent example, a manufacturing organization wanted to run a code scan against a custom-built application on an annual basis to meet a compliance requirement. While the investment in application testing is a move in the right direction, integrating and automating testing in the DevOps pipeline would both satisfy the requirement and create a much more effective approach. However, like many businesses, the company’s leadership only approved enough budget to meet the minimum compliance obligations, believing that if they are compliant, they are secure.

This is a common theme. Organizations are motivated to meet regulatory compliance requirements, but these requirements are meant to be the minimum security standard for a foundational cybersecurity capability.

A comprehensive, multi-layered approach is critical, and organizations must question whether the minimum standard is acceptable. Attackers are becoming more advanced and innovative, and with compliance requirements and updates lagging, criminals are finding new ways to exploit systems.

Gartner analysts state that the cybersecurity market was worth $173 billion globally in 2020 and will grow to almost $270 billion by 2026. Significant capital is being invested into cybersecurity technology and services, allowing customers have their pick of security solutions. With that choice comes the process of determining which product is the right fit for your organization based on your unique threat profile and cybersecurity strategy. But rather than making things easier, this multitude of choices can actually make your organization’s situation more overwhelming and complex.

A BDO client was recently inundated on a daily basis with cold calls, LinkedIn messages, marketing emails, and meeting requests from a plethora of security vendors. He said: “I have a small security team running lean; we don’t have the luxury of being experts in every field. We just don’t know how one solution stacks up against another, other than to make a decision based on the vendor who has the best marketing material.”

Unfortunately, this client had the misfortune of being the target of a major distributed denial of service attack which crippled their ecommerce and B2B sales capability. When asked why he chose that specific product he said: “Their sales team was nice, and they did a great job of building a relationship with my team and our executives. I think their solution is great, but I think we may have bought into the marketing a bit too much and lost sight of our objective and whether the solution truly fit our profile.”

With an ever-growing and profitable cybersecurity marketplace, wading through the sea of vendors, tools, solutions, and products is an immense task. It makes choosing the right solution to solve your organization’s specific security problems more challenging.

While 2023 has seen vacancies and layoffs in the tech industry, the demand for cybersecurity talent continues to be greater than the available supply. Organizations are still struggling to employ and retain qualified and capable cybersecurity professionals.

A BDO client in the retail space explained their cyber hiring struggle: “We’ve been trying to hire a competent cybersecurity leader for some time now but have been coming up short. The impact of not having someone to lead the charge is highlighting our lack of direction and the ability to make the right choices and investments. We have money to spend and don’t know how to spend it the right way.”

Without adequate and knowledgeable oversight, organizations who do not dedicate resources to cybersecurity are at a higher risk of having business operations disrupted by a cyber-related issue or misconfigured security controls.

Many organizations may be unsure about steps they need to take to increase their security posture. Between the overlap and contradictory priorities set by various industry frameworks, compliance sets, trend updates, and marketing, they feel like they’re playing a game of cybersecurity ‘whack-a-mole.’ Many try to invest their budget into every capability without knowing how the pieces fit or if they’re getting value from the spend to mitigate risk based on their specific threat profile.

Organizations often focus on threat detection rather than threat prevention when deciding where to allocate their budget. This constantly puts over-extended security teams in response mode and leaves a lack of clarity around current security exposures.

A software service provider shared their experience with budget allocation towards their cybersecurity strategy. The organization had purchased a major anti-malware solution on a C$1.2 million per year subscription. A few months later, their flagship web application fell victim to a software supply chain attack.

They explained: “Because we spent so much of our budget on the anti-malware solution, a decision was made to move our code testing initiative to the following fiscal year and only run one penetration test this year to save budget. I had a hard time explaining to my CEO how the anti-malware solution doesn’t help us against these types of attacks. He told me that he was under the impression that with this solution, all our cybersecurity problems were solved.”

Neglecting security testing and vulnerability identification is alarmingly common. Detecting cyber attacks is good, however avoiding the vulnerability which enabled the attack is better. Application security software testing, penetration testing, red teaming, and vulnerability management are all important programs which are rarely utilized to their full potential. Although budgets are increasing, responsible spending is still critical. It is imperative to implement a sound financial plan which enables your cybersecurity program to shore up defences where potential exposures can exist.

Threat modelling is the process of understanding, prioritizing, and addressing risks. As humans, we perform some level of threat modelling every day when we leave our homes, drive our cars, or walk our dogs. We evaluate threats and employ controls to mitigate these risks such as locking our doors to reduce the risk of a break in, driving slower to reduce the risk of getting into a car accident, and dressing appropriately for the weather conditions.

Like humans, each organization is unique. Your business has specific goals, requirements, processes, and technologies. Assessing your risk profile based on a generic framework alone will not accurately illustrate the reality of your cybersecurity posture.

Our BDO team looks to understand your exposures and potential attack paths, allowing us to develop the custom control sets and strategies required to adequately lower risk and mitigate threats. This tailored strategy allows for a practical and cost-effective security posture, providing you exactly what you need to defend your organization.

You’ve purchased security tools, implemented processes, and built an application that your developers say is secure. But how do you confirm your security investments are working as expected?

Security testing allows you to identify strengths and potential gaps from the attacker's perspective. Performing red teaming with BDO’s Offensive Security group allows you to observe the flattened, ‘sum-of-all-controls’ security posture. These real-world scenarios can clarify questions such as:

• When an attacker targets your organization, which controls are effective?
• What is the notification process of a breach? What alerts are generated, who is notified, and how are the alerts actioned?
• Are there controls that thwart attempts to modify or exfiltrate critical data?
• Which systems were patched efficiently and which systems lack the ability to defend themselves?

Testing custom-built applications and networks is incredibly important. These are systems that are unique and tailored to your environment. Which means there isn’t a pre-built strategy with the security fixes and controls needed to protect your configuration. BDO’s DevSecOps program delivers a custom testing suite integrated and automated into your development pipeline, offering some key advantages, such as:

• Allowing your development teams to deliver secure software at the speed of the business and deliver it with confidence through testing automation.
• Increased collaboration and communication between development, operations, and security teams.
• Ensuring that security is built into software from the outset by helping to identify and address security issues earlier in the software development life cycle.

Security tools and control sets come in an infinite number of sizes and capabilities. Once upon a time, there was the concept of buying ‘best-of-breed’ but we now live in the generation of ‘best fit.’ To maintain productivity and mitigate the cyber talent crisis, your technology control stack needs to be easy to use and operate and allow your cyber operators to prioritize their time with important decisions rather than menial tasks. Therefore, the ‘best-fit’ for your organization is likely one that is unified and efficient.

What does this actually look like? Consider the following scenario, in which a company may implement the following “best-of-breed” solutions:

• An anti-malware solution from a single vendor, with its own management console, logging console, management server and agents.
• A data loss prevention solution from a second vendor that uses all the same components required for it to run effectively.
• Security information event management (SIEM) logging and monitoring solution, newly implemented by a third vendor, in an attempt at unifying all this data into a ‘single-pane-of-glass.'

While these solutions stand out individually, they may not work together in harmony, requiring operational overhead and additional licensing costs—ultimately becoming difficult to manage while your team continues to be stretched thin.