Cybersecurity frameworks are notoriously expensive to build and maintain. And, business leaders are frequently dissatisfied with their effectiveness. According to research conducted by the Ponemon Institute, enterprises spend an average of $2.86 million per year on their in-house security operations center (SOC), with more than half of those costs allocated to labor. Yet, barely more than half of survey respondents (51%) rated their SOC “highly effective” at detecting attacks and responding to incidents.
What else can chief information security officers (CISOs) do to reduce costs and stay within their budget as they navigate the current economic downturn? Here are five tactics to help you emerge from today’s climate of austerity with a cybersecurity framework that doesn’t break the budget.
State of the Budget
First, some context. Recent events have amplified the need for cost savings. A majority of enterprises froze IT budgets in the immediate aftermath of the crisis, but as many as 23% of chief information officers report that their budgets remain frozen more than two months later. An additional 49% saw decreases during the same period. As security organizations face new challenges identifying and containing incidents in hastily implemented remote work environments, they’re also being asked to accomplish more with fewer resources.
Because the biggest line items in any security operations program’s budget relate to staffing, it can be tempting to use layoffs in response to financial constraints. Not only are security analyst salaries high (an average of $102,315, according to the Ponemon Institute), but cutting labor costs can seem like the quickest way to reduce expenditures.
Decreasing staffing, however, can negatively impact a security operations program’s effectiveness in ways that are long-lasting and difficult to reverse. On average, it takes 7.3 months to recruit and train a new analyst hire. During that period, 65% of security personnel find that their organization’s team has inadequate time to perform other responsibilities. Collaboration and morale may suffer as well.
“Cutting staff should be the absolute last resort,” says Mark Orlando, cofounder of Bionic Cyber.
Eliminate Duplicate Cybersecurity Tools
In IBM Security and the Ponemon Institute’s latest Cyber Resilient Organization Report, the average enterprise had deployed 45 different security technologies and solutions. More is not merrier in this case. Companies using more than 50 separate tools were ranked less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions within a cybersecurity framework breeds complexity, requires employees spend more time on training and certification and creates interoperability challenges.
Given the current industry trends towards vendor acquisition and solution consolidation, now is the time to make sure you’re not hitting your budget on multiple products with overlapping or similar abilities. Since every single piece of software has the potential to contain as-yet-undiscovered vulnerabilities, pruning your solution stack to the bare minimum can boost resilience. It will also simplify management and administration.
The same goes for your data sources. Is every single log source feeding your security information and event management (SIEM) solution providing truly valuable data? Is every threat intelligence feed that you subscribe to enabling better investigations? Or, are they full of false positives and lacking in context?
Consider Single-Vendor Solution Suites
Anything that can make security analysts more efficient and reduce their need for training will ultimately benefit your budget. Over the past few years, the trend has been to seek out a different “best-of-breed” solution to for each task within the cybersecurity framework. But this means analysts need to monitor multiple dashboards, as well as be trained and certified on multiple tool sets.
Solutions that can be administered from one cohesive dashboard can save huge amounts of analysts’ time. Since time is ultimately the most expensive — and scarce — resource in the SOC, it makes sense to conserve it whenever possible. They also affect your budget less in terms of initial purchase or subscription costs.
Deploy Cybersecurity Task Automation Logically
When it’s used wisely, automation has the potential to save more of analysts’ time than anything else you might implement in the SOC. The best solutions can streamline workflows, take responsibility for performing monotonous and highly repetitive tasks (which gives analysts more leeway for creativity) and multiply efficiencies.
However, many solutions, including Security Orchestration, Automation and Response (SOAR) platforms, are time- and labor-intensive to deploy. That, of course, affects the budget. Running playbooks may ultimately save time, but building them is a complex, long-term project involving a lot of customization. Managing a SOAR platform typically requires analysts to interact with multiple consoles within their cybersecurity framework, too.
Smaller, more specific tasks within the security incident workflow, such as gathering contextual data to speed incident investigation, are easier to automate, especially for organizations with less mature security programs. Look for tools that can loop in pre-existing data sources (this is more challenging in heterogeneous, multi-vendor environments). Or, look for tools that can add automation-based capabilities to the cybersecurity framework you already have.
Centralize Log Management, Preferably in the Cloud
Because many teams are working remotely, you have probably directed all your network telemetry data sources to a centralized repository in order to enable work-from-home security operations. But this is an excellent time to revisit your log management strategy and how it affects your budget. Lightweight cloud-based security information and event management (SIEM) alternatives (including open-source solution families like Elasticsearch and Logstash) can readily be configured to ingest the logs from the most popular cloud cloud services. This can make it easier to collect and manage your log data, as well as to share the data with third-party service providers as needed.
Will Outsourcing Help Your Budget?
The market for managed security services continues to grow even in the face of current economic challenges. In fact, outsourcing’s promise — a shared-cost model for access to security analyst expertise — is especially appealing today. However, service quality and customer satisfaction can differ enormously between vendors.
Managed detection and response (MDR) providers that integrate downstream capabilities like incident response and threat hunting into their cybersecurity framework offerings may provide the most value. All too often, traditional managed security service providers (MSSPs) function primarily as an alerting engine. These can deliver too many false positives to be truly useful to your internal SecOps program. Seek out a vendor who understands your industry and business model, and who can add to the capabilities of your internal team.
No matter what the coming months may bring, recruiting and training security analysts will likely remain a high and relatively fixed cost. By focusing on essential tools and strategies that can maximize the efficiency, performance and job satisfaction of your current team, you can streamline your security operations program and see greater cost savings.