Introduction
In my experience, people tend to make decisions on where to invest in cybersecurity controls based on one of the following approaches. Sure, there are lots of exceptions, the audit finding, the article your CEO read, or ‘the horse has left the barn, time to close that gate’ approach. When, however, we think about Cyber strategy, we often fall into one of these four ways of thinking about our budget:
1. Popular wisdom –‘Everybody knows you should have an EDR solution’
2. What’s getting attention in the news – ‘New next-gen, AI, ML, cloud-based <insert product type> protects from zero-day attacks!’
3. Personal bias – ‘Any solution as long as it isn’t <x> ’
4. Trusted relationships – ‘Bob from <Y> is a good guy and he’s been after me to use this solution to solve our security problem.’
The challenge with these approaches is they are all, potentially, legitimate. The range of ‘good’ security controls is very wide, and each of those controls can be addressed effectively by an even wider range of products. So, the issue isn’t picking a valid control, it becomes one of picking the most cost-effective set of controls for my environment and budget.
How Do These Approaches Work In Other Contexts?
Consider this example. You want to drive the safest possible car for your budget. You can afford a $25K car and have an additional $3K to spend on safety features. The list of optional safety features comprises have a handful of options that range in price from a few hundred to a few thousands of dollars. You have options on how you decide to spend the money:
1. ‘Everybody knows you need forward collision warning, automatic emergency braking, and lane-keeping assist’ – These total to $6K, which one do you decide to cut? How do you make that decision?
2. The news reports on car safety have been pushing the benefits of a stability control system – it sounds good but costs $3K alone. Is it a better solution than the other features people say you need?
3. You have a friend of a friend (on Facebook) that fractured her neck because of an active head restraint system – so you know you definitely don’t want one of those.
4. You had your heart set on a used Jetta but your best friend has been really happy with a Hyundai that has a blind spot indicator included, a $1500 feature everywhere else. – Is the tradeoff worth it?
In this example, there are tons of safety features available to you, and many, if not all of them, provide some reduction in risk. The question is how to tailor the safety features to your unique budget requirements and risk exposure. In an ideal world, you would be able to model your car of choice, the safety features available, your driving habits (level of aggressiveness, etc.), driving environment (inner city, rural) against a national database and have some statistically-based answer on which safety features would provide the greatest reduction of risk within your budget.
Real-World Cyber Spend Decisions:
So, back in the world of choosing where to spend your cyber dollars. Some of you may say, ‘Wait – what about making decisions with more objective comparisons?’ Good point and those are helpful tools. However, let’s say that the (Gartner/Forester/etc) report says that <X> is the most effective Endpoint Detection and Response (EDR) tool. You decide to purchase the tool recommended and it may, in fact, be the absolute best EDR tool out there. How do you make the determination, based on your unique environment and threat profile, that you should spend money on EDR and not some other mitigating control like Privileged Account Management (PAM)? How much better off would you be if, instead of adding a new control, you increased the effectiveness of an existing control by 30%?
Data-Driven Budget Decisions:
There are a number of tools and approaches that look at your controls environment, both preventative and detective, as a series of barriers between the ‘bad guy’ and what you are trying to protect (industrial controls, PII, PHI, PCI, etc.). These tools and approaches allow you to estimate the risk reduction value for each control in that series and model the effective risk reduction in aggregate for the series. As humans, we are perfectly able to intuitively estimate one variable (e.g. EDR) but studies have shown that we’re not so good at intuiting more complex statistical problems like the one above. As Daniel Kahneman. observed: “There is a deep gap between our thinking about statistics and our thinking about individual cases*”
I believe this is why we are starting to see more people turn to quantitative risk tools and techniques to help them make better decisions. Cyber Insurance Brokers like Marsh are using quantitative techniques, including simulation, to model control effectiveness. Companies like Cymptom are developing commercial software for modeling control effectiveness. Open Source tools like RedPill provide a framework to model it on your own and organizations like FAIR are publishing guidelines and processes to help guide us.
So – when you are faced with your next Cyber purchasing decision, what method will you choose? If you are interested in a data-driven budget analysis example, just reach out to us and we’ll send you one.
