The key is in spending for what is right for your organization, not simply deciding that a set percentage should be spent on these solutions. Below are some key questions that you should ask of yourself:
Do I want to know the holes in my network, or do I just want the box checked that I’ve had testing done? 99.9 percent of companies offering cybersecurity services today are using automated vulnerability scanning tools and calling it a “penetration test.” This approach is just fine if you are just needing to check a box that you’ve had some testing done. The problem with this approach is that the people performing the “test” are usually only mildly more qualified than you are to do this testing. Why would you pay someone thousands of dollars to press the start button on some software that you could buy yourself?
On the flip side, there are a few companies that go the extra mile to make sure that your system is addressed in the same way that sophisticated attackers would interact with it. These companies are going to find the vulnerabilities that are specific to your network configuration and give you a realistic view of where your vulnerabilities are located. They’ll boast of advanced degrees in computer science or related systems and spare you the listing of certifications that anyone could get with a two-week training course.
The latter is going to be more expensive, but you’ll actually be getting what you are paying for unless you are looking to simply check the box.
Now that I’ve done testing, what am I doing to continuously monitor my network security?
This is a huge area with a new “product” hitting the market about every 10 minutes. Let me warn you here….. technology is NOT always the answer. While there are some very good products in the market, humans familiar with your network are still needed to put context to the alerts.
This is one of the biggest problems we’re seeing lately. Companies are installing the fancy new product, subsequently getting millions of alerts a day, and having no clue what to do with them. What is the point of having these great new devices if you come to the point of ignoring them from being overwhelmed? If your budget allows, look for a provider who can take the logs that you are already generating and put them in a form for you that has context and is applicable to your specific network environment.
While there is generally strength in numbers, I’d also warn you to beware of the gigantic products. There is also strength in diversity, especially in the security monitoring space. There is a new article out almost weekly about how this or that software is going to end security threats. Well, guess which products attackers are going to be studying if a large percentage of companies are using that defense? You guessed it, the one where they can gain the most access by finding ways to bypass it.
To summarize, if you have a sizable security team with good qualifications, you are probably right to go with a technology approach to monitoring. If your IT team is already strapped for time on daily activities before they even look at security monitoring, you are probably best to bring in a service that does that for you on a constant basis.
So when considering what to spend on cybersecurity, keep in mind that it is all in what you are looking for. Also remember that you have to be vigilant to make sure you are actually getting what you think you are getting, as there will be a vendor waiting to sell you anything under the sun.
It also makes sense that if a majority of your business is done through network connected devices and applications, that you should be putting a priority on protecting those things. If you absolutely must judge your security spending by a percentage, I’d say that somewhere in the range of 20-25 percent of your IT budget is a good start.
» Brad Fuller serves as the Director of Operations for HORNE Cyber. After spending 10 years working in the United States Senate, Brad co-founded Halberd Group LLC, which specialized in offense-oriented cybersecurity and digital forensics prior to being acquired by HORNE Cyber. As Director of Operations, Brad guides clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers’ critical data and brand reputation