More or Less: New Study Uncovers Diverging Security Strategies Among Today’s CISOs

April 1, 2016
| |
3 min read

In the fast and furious world of fighting cybersecurity threats, today’s chief information security officer (CISO) needs a solid strategy for securing his or her organization. An important element of such a strategy is security solution evaluation and selection. In a crowded and fragmented market, it can be a challenge to first understand the gaps in one’s own security program and then identify the products that add both security and value.

To better understand the challenges facing CISOs, a recent study was conducted to identify the solution strategies employed by security leaders. The report pointed to two emerging approaches CISOs are relying on to protect their organizations.

Going Old-School to Lower Costs and Complexity

Accompanying the rise of sophisticated attacks is the increase in cost and complexity when battling these advanced threats. One group of CISOs, dubbed by researchers as the “minimalists,” are easing budgetary requirements by returning to an antivirus-only approach.

Not only does removing all security measures but AV tools realize significant cost savings, but the complexity of their organizations’ security program is also greatly reduced. Many leaders also noted a waterfall effect in costs savings; for example, several organizations were able to virtually eliminate their security staff since there were no more security products to deploy or maintain, as well as fewer security alerts to investigate.

While a radical approach, minimalist CISOs tended to cite their confidence in their employees’ ability to know which links to click and those to avoid. They also believed that because of today’s improved software development processes, patching was largely becoming unnecessary. Additionally, the minimalist approach was viewed as a cunning chess move in the game against cybercriminals in that it would trick attackers into thinking that they had not yet found the organization’s security measures and then could not attack because they didn’t know what would happen.

Still, the study indicated that the minimalist strategy will not just stay at the antivirus-only level for long. Several respondents stated that they were considering adding a firewall to their network within the next nine to 12 months. Notably, most said it would not be one of those fancy, next-generation firewalls.

Finally, a small group of respondents remarked that they preferred the minimalist strategy because they’ll be blamed for any inevitable breach no matter what, so why try?

A CISO Can Do More With More

Yet another cohort of CISOs believed that the minimalist approach is taking it a step or two too far. Given the moniker of “collectors,” this second group seems to agree that using as many security products from as many security vendors as possible is key to securing their organizations. As one respondent noted, his strategy hinges on a multitude of solutions because “one of those [products] is bound to catch something.”

The collector CISO tends to view money as no object. In light of recent high-profile breaches, this group has seen its budgets skyrocket and actually indicated that they have trouble spending it all each year. In turn, this has driven a demand for hiring additional security professionals to manage all the products and the millions of alerts they issue each day. While it may be akin to searching for a needle in a haystack, the collector CISOs agreed that “at least the right alert is in there somewhere — we just need more people to look for it. It’s all hands on deck, and I need more hands.”

The sprawl of security solutions can introduce complexity, but the collectors, on average, viewed this as a strategic benefit. The thought is that the lack of integration between the products is actually a security feature because it reduces the likelihood that an attacker can infiltrate and transverse the network through the security products themselves. Besides, these CISOs need to keep their growing security teams busy by poring over log data and making their own value-add connections and correlations between various reports.

Figure 1: To what extent do you agree with the following statements? (Combined answers of agree and strongly agree.)

Protecting Against the Dynamic Attack Chain

The readers of this blog are a rather astute group, so you’ve likely figured out long before now that the above study isn’t real. Happy April Fool’s Day! However, while the two characterizations of today’s CISO were humorously extreme, the challenges of dealing with advanced threats, product integrations, budgets and skills shortages are very real.

That’s why IBM Security has created its threat protection system. The IBM Threat Protection System is designed to disrupt the life cycle of advanced cyberattacks with a three-pronged approach that helps you prevent, detect and respond to threats. It is built on an adaptive architecture and integrates with more than 450 security tools from over 100 vendors.

Join us for a webinar titled “Attack Autopsy: A Study of the Dynamic Attack Chain” on April 14. IBM will give you a look at its advanced threat protection system and teach you how to improve the security health of your organization.

Jordan Carlson
Portfolio Marketing Manager, IBM

Jordan leads portfolio marketing for IBM Security’s network protection products. With more than 15 years of experience in the technology industry, Jordan h...
read more