Organizations need to have adequate security for their technology estate. Some will be large enough to do all of this in-house, but many will only be able to assign their skilled security teams to cover some of their protection. Security providers fill the remaining gaps with software, tools, and expertise.
Most businesses aim to achieve the ‘Goldilocks’ scenario, in which they invest in just the right amount of security through channels such as managed security service providers (MSSPs).
But finding the “just about right” amount of security can be trickier than it seems. While there is much discussion around ensuring you have solid security backing, it is also easy to overspend on security.
Determining the correct level of security investment
While an organization might legitimately need more than one security provider, it is also possible that it has too many for its needs. Among the pitfalls of using too many security providers are unnecessary expense, confused reporting, and lack of control.
In 2023, businesses use an average of eight security platforms according to research from Kroll. The study took in responses from 1,000 senior information security decision-makers at organizations with revenues between $50 million and $10 billion based in North and South America, APAC, and EMEA.
“Our research shows that the more cybersecurity platforms are used within an organization, the more cyber security incidents are reported,” Scott Downie, assistant managing director of cyber risk at Kroll, tells ITPro.
This could mean that more incidents are discovered, but could also be a sign of ‘double counting’ cyber security threats.
Nick Truman, chief information security officer (CISO) at Nasstar explains the pitfalls of using multiple providers doing essentially the same work. “Duplicate incident reports can overload security teams with unnecessary work, leading to decreased efficiency and delayed response times.
“Excessive reporting can distract the security team from identifying and addressing genuine threats, leading to oversight and reduced incident response effectiveness.”
Modernize security operations for greater effectiveness
DOWNLOAD NOW
Software bugs already lead to incidents in which security teams are overwhelmed by false threat flags, such as Microsoft Defender erroneously identifying reused passwords.
It can also mean redundant spending on multiple providers, which could be better spent ensuring any in-house teams are well-supported. The burden placed on security teams from excessive threat reports could add to the already high level of security staff burnout.
In 2022, 75% of organizations surveyed by Gartner were looking to drop cyber security vendors to improve their security posture, citing the operational inefficiencies that can arise from tracking a mix of complex security solutions. Many (41.5%) of those surveyed were investing in secure access service edge (SASE) products to consolidate their security controls.
Getting clarity on security provision
There are three main steps IT leaders can take to get a hold of their security providers: conduct a review, remove the excess provision, and produce a risk strategy so the situation can be avoided in the future. Considering the main threats they face and their attack surface is key.
“Many organizations do not understand exactly what they are protecting against and can often overcompensate by using multiple platforms for cyber security protection,” says Downie.
Keeping one eye on the threat landscape is also key here. MSSPs can provide dark web insights, which can help businesses find out if they are being actively targeted by dark web entities such as ransomware gangs.
Small and medium-sized businesses (SMBs) with small or no security teams to their name can particularly benefit from this access, especially as ransomware groups have begun to target smaller businesses once again.
Internal reports can also guide investment decisions on specific security tools: finding out your organization is being targeted with identity-based attacks or as part of a phishing campaign could drive greater spending on identity management services, for example.
“Clients often approach us not knowing which of their providers are really covering which risks,” Joe Hubback, managing director EMEA at Istari, tells ITPro. “It’s almost always due to very mundane reasons such as the churn of staff in security functions and the way businesses evolve.”
External support may be well worth the cost and could eventually pay for itself as unneeded provision and associated workload is canceled. But gaps in oversight must always be addressed, especially if these are behind unnecessary spending.
With a strong strategy in place, the review process can be made easier and be carried out more regularly. The strategy should be built on both defining what necessitates protection and one’s appetite for risk.
Finding the optimum number for security
The optimum number of security providers is likely more than one, as a single provider is often unable to cover every security requirement.
“There is a theoretical issue with having a single provider in that it reduces your security resilience. If that single vendor suffers a failure, you will not have a backup solution to protect you.”
In addition, Hubback points out that “for some enterprises, it is part of their security strategy to have vendors provide overlapping capabilities in critical areas”. This increases the chances that if one provider has not yet patched a widely-exploited vulnerability, the other in use may already have extended its cover to protect against it. It’s a “belt and braces” style approach and one which, while undoubtedly expensive, may be needed to satisfy the risk appetite of the organization.
Streamline your organization with business continuity management
DOWNLOAD NOW
Aside from duplication for self-protection, “Different providers might excel in specific areas of cyber security. Utilizing multiple specialized providers can ensure comprehensive coverage,” says Nick Truman.
The key to identifying the optimum number of providers lies in getting a full and comprehensive understanding of the technology estate of one’s organization, across both legacy and modern systems as well as knowing in detail what needs protecting.
Ultimately, providing adequate security is, as so many aspects of business are, all about strategy. Get the strategy right, and your organization can ensure adequate security provision, from however many providers are needed. The Goldilocks scenario will be in place.
