Cybersecurity management- it’s a numbers game

I’ve recently attended a cybersecurity conference. In addition to the industry regulars there were about 70 start up companies presenting in the start up pavilion. There was a definite division of technology among them- 80% dealt with detection (including mobile, SCADA/ ICS etc.) and the rest in various topics (DLP, MDM, management, intelligence etc.). This isn’t surprising- it is known fact that malwares are multiplying on a daily basis, so it makes sense that defensive technology, designed to detect such activities will be growing as well. Problem is, detection alone never stopped an attack…

But that’s not what I wanted to focus on.
So let’s assume only half of these represent real, novel technologies- this means that about 30-35 new products will be hitting the market soon. Assuming, again, that all these are new (meaning not replacing or competing with more traditional products), it means that cybersecurity departments now have to learn these new solutions, test them, understand if they are applicable to their organization and justify their acquisition. After purchase, they need to implement these products, integrate these somehow into their procedures and connect them other systems residing within their SOCs. I can make an educated guess that new systems will cause multiple alerts, causing headaches to the operation personnel and a strain on their managers. It is in fact becoming so bad that some companies now offer innovative SIEM solutions with the sole purpose of siem-plifying the SIEM operation (pun intended). But with so much new technology- aren’t we increasing both the load and the risk? How are we expecting cybersecurity managers to adopt these new technologies and make sure they work in concert with other systems? How can a CISO know if the new, shiny toy she just bought is implemented to its fullest capacity? How can she know if she even needs it? What’s already included in the arsenal and how well is it deployed? Is the added “toy” efficient/complementary to the existing arsenal? Or will it just add to the already existing clutter? The answer is that in addition to their “weapons” arsenal, we must also equip managers with tools to better manage their operation. They need to be able to verify the maturity level of multiple security systems and controls and understand whether these are sufficient to mitigate the next type of attacks. But if the industry will continue favoring the development of detection mechanisms instead of investing some resources into management and decision support systems, we are condemning our CISOs to a life of -constant alerts-chasing, fire extinguishing and some awkward moment trying to justify the purchase of a new toy without any concrete data to support their claim.