Cybersecurity Spending and IAM underinvestment

Security budgets naturally compete with other priorities for funding, and finance departments traditionally prioritize immediate financial gains over long-term investments. Cybersecurity, with its focus on prevention, is often seen as an element that’s ‘nice to have’ rather than a necessity. Especially when compared to tangible projects with quicker returns, cybersecurity initiatives can be left chronically underfunded.

Where do we spend? And where are the attacks coming from?

According to Gartner, the main driver of cybersecurity spending is security services, and this is not going to change in the future – this segment accounts for more than 40 percent of total spending. The next three major areas are infrastructure protection (15.5 percent of spending), network security equipment (13.9 percent of spending) and IAM (accounting for only 8.6 percent of the total).

Contrast and compare that with the latest CISA advisory on how malicious actors gain initial access to the victims networks. The advisory, coauthored with the cybersecurity authorities of the United States, Canada, New Zealand and the United Kingdom, shows the most common techniques for gaining initial access:

  • Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vectors for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.
  • Privileges or permissions are incorrectly applied and there are errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
  • Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
  • Vendor-supplied default configurations or default login usernames and passwords are being used. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit.
  • Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.
  • Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.
  • Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
  • Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
  • Phishing attempts are failure to be detected or blocked. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
  • Endpoint detection and response is poor. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.

The skills shortage brings vendor consolidation

A key challenge of cybersecurity investment is investment in people – hiring, training and retaining the right workforce. A recent study by ISC2 shows unprecedented levels of demand for skilled cybersecurity workforce, a demand that far exceeds the supply of available workers. The global workforce is growing at a steady pace, clocking in at around 5.5 million employees at the end of 2023. That’s a healthy 8.7% growth, an increase of 440 thousand in a year, and a large jump from 2.8 million estimated in 2019. However impressive the figure, it still remains in the shadow of unfulfilled demand – a gap of around 4 million, with half a million cybersecurity workers missing in North America alone.

One way organizations need to act on this imbalance is upskilling and training the existing workforce. Cybersecurity professionals are facing a continuously shifting threat landscape. With new threats appearing daily, just keeping up with the field requires constant training. At the same time, cybersecurity is now a corporation-wide issue, where every single employee plays a critical role, and requires appropriate training – from anti-phishing and business email compromise to data protection. We don’t need to remind any reader: the best corporate policy is worth only as much as its implementation.

No wonder every CIO and CISO is looking at consolidating the stack and consolidating the number of vendors. It helps control the extreme diversity and brings down the list of requirements in security qualifications. Recently, Gartner found that 75 percent of organizations are pursuing vendor consolidation as the era of single-use point solutions is just giving way to the pressure of skills shortage. The key reason for vendor consolidation is of course improving the risk posture by reducing complexity. Surprisingly, cost optimization is not a primary driver for this trend.

The rise of unified solutions and holistic security strategies

From our review of the current threat landscape, it already transpires that the new threat-new tool hamster wheel is unsustainable. No matter how advanced that new piece of technology is, if it’s not integrated seamlessly with the existing cybersecurity architecture, it brings an unsustainable level of complexity, burden on staffing and disjointed approach to security. With 43% of organizations using more than 10 cybersecurity vendors, and many more distinct tools, bolting on more and more is just not a long-term or effective approach.

The above-mentioned vendor consolidation is a clear answer to cutting down this complexity. The other long-term solution is betting on platforms. The quoted Gartner research shows that in SASE and XDR, buyers are already gravitating towards vendors with comprehensive suites to solve all relevant issues of that field. IAM is also consolidating, with vendors creating unified identity platforms that can cover wall-to-wall needs on identity security. While IAM used to be a mishmash of various enterprise-grade solutions for specific use cases, recently the market moved towards an approach which converges access management, privileged access management, identity governance and administration and a variety of smaller tools handling identity, including AD defence, AD bridging, MFA and SSO.

While specialized point solutions can be effective and provide adequate security, the burden of integration falls on the customer, creating unnecessary complexity to the detriment of the overall security posture. The trade-off calculation needs to consider the opportunity cost: A few dedicated cybersecurity engineers could do more valuable work somewhere else.

Fundamentally, the solution is paring down the number of vendors and focusing on some key partners for long term. The choice should be driven by the width of the vendor portfolio. It needs to cover the complete set of challenges that may arise in that field. Likely even more important is the modularity: Implementing a complete platform in one go, especially in a field as complex as cybersecurity, is borderline impossible. Badly scoped, too-large implementation projects run the risk of cost overruns, missing deadlines or downright failure. A smarter approach is implementing one major component at a time. However not every platform has the flexibility to run alongside existing solutions and replace them as the customer needs dictate.

While cost is not a driver of vendor consolidation, it sure is a benefit. Vendors usually offer deep discounts when asked for bundles that include more than one component of a cybersecurity platform. Another cost-savings factor is people and skills: With transferable skills in a unified platform, hiring and upskilling becomes much more effective, bringing flexibility to the teams manning these solutions.

Conclusion

The cybersecurity landscape is in a state of constant flux, with threats evolving at an unprecedented pace. The expanding attack surface, fueled by digital transformation and the proliferation of interconnected devices, has created new vulnerabilities for malicious actors to exploit. The widening gap between the escalating cyber threats and the lagging security investments is a cause for serious concern. Traditional security approaches, focused on perimeter defense and reactive measures, are no longer sufficient in this new era of sophisticated attacks. The cybersecurity skills shortage further exacerbates the problem, leaving organizations struggling to find and retain the talent needed to implement effective security strategies.

The future of cybersecurity lies in unified solutions and holistic security strategies. By consolidating vendors and embracing platforms that offer comprehensive protection across the entire threat landscape, organizations can reduce complexity, improve efficiency and strengthen their overall security posture. This approach not only addresses the immediate challenges of the skills shortage but also lays the foundation for a more resilient and adaptable security infrastructure.

Anonymous
Related Content