Why focusing on technology spend at the expense of human cyber resources is risky [Q&A]
As we enter 2023, factors such as an uncertain economy, inflation, the fear of a recession, hiring freezes and layoffs, and supply chain issues continue to take their toll on businesses -- impacting not only daily operations, but budgets for the new year.
When it comes to cybersecurity spending, in particular, Curtis Fechner, engineering fellow, threat management at Optiv, says many executives expect their budgets to be unchanged in 2023, which is a best case scenario as the risk of cuts amid an uncertain economy and business landscape looms large.
We sat down with Curtis to get his thoughts on how he thinks stagnant or reduced cybersecurity budgets will affect businesses in 2023.
BN: How do you think companies will handle flat or reduced cybersecurity budgets?
CF: Successful cybersecurity programs require equal investment in three areas: people, processes and technology. However, if there's only so much money to go around, I suspect many organizations will upset the balance by throwing money behind new technology. We've already seen this start to happen this year, with organizations including information security professionals in large-scale staffing reductions, and this will continue into the new year.
With so much hype around automation, many executives have convinced themselves that technology can take the place of humans -- but the reality is that we're nowhere close to achieving this desired outcome. Good tools certainly can help with risk reduction, but I also believe those tools are only as effective as the people who will use them. And so, companies who do focus on technology spend at the expense of their human cyber resources will probably find themselves at greater risk of a major cyber incident or breach in 2023.
BN: Can you explain how cybersecurity personnel reductions can increase security risk?
CF: Security teams working in Security Operations Centers (SOC) have long been battling alert fatigue, and this problem isn't going away anytime soon. Hundreds of alerts are pouring in from the disparate security tools implemented across a company's IT environment, and security analysts are tasked with manually investigating each one, identifying legitimate threats and then responding quickly to mitigate risk or limit damage. This is a process that takes tremendous time and effort. Reducing the number of security analysts on staff leaves remaining personnel to pick up the slack in an already overwhelmed SOC. They'll certainly do what they can, but there's only so many hours in the day. When security professionals are overworked and overwhelmed, there's a higher risk of legitimate threats slipping through the cracks or not being identified in a timely manner -- which then causes an overall uptick in severe incidents.
BN: Do you foresee other risks, as well?
CF: I think there will be a broad-spectrum de-emphasis on humans, largely to the detriment of many organizations. We'll see this not only through reduced headcounts, but also in terms of career development -- for example, investing in employee training.
The employees who still have a job will face training budget cuts, robbing them of the education and hands-on training they need to effectively protect their organization. For example, without training, security teams lack real-world incident response (IR) experience and practical knowledge, rendering them woefully unprepared in the wake of a breach or other cyber threat. Companies may put up enough money for a single annual IR tabletop exercise every year, but this cadence is not nearly enough to allow IR participants to build the right 'muscle memory' needed to fulfill their role in the process.
So, companies then have a two-fold problem: they are short-staffed on the security front and the people they do employ aren't being given the tools required to adequately secure the company.
BN: Any words of advice for companies going into 2023?
CF: Don't overlook the human element in cybersecurity.
Highly motivated attackers can achieve considerable impact against their targets in a very short window of time. Their goal is to work faster than the SOC can respond, and we're not helping SOC teams by diminishing their resources and taking away their training.
Some companies believe that technology gives them the ability to work faster than attackers by automating security controls. But, if automation is trained against historic attack techniques or indicators -- and if we look at a lot of products leveraging this historic data to train their machine learning models -- then we may fail to prepare for emerging threats leveraging novel tactics and techniques. And, if detection is imperfect, then automated technology will either fail to contain the threat, or it will result in false positives that disrupt the business. The irony is that the security professionals who are being laid off at the expense of these technologies can actually find anomalies that technical controls miss. Therefore, without the human element in the process, security risks go up and organizations make themselves more vulnerable.
The threat landscape is only getting more sophisticated, and attackers are becoming increasingly adept at exploiting new vulnerabilities and identifying new security control gaps. Going into 2023, companies should continue to invest in their people, give them the training they need to succeed, and ensure their technology solutions complement -- rather than replace -- humans. When companies are able to maintain the proper balance between people, processes and technology, they can build strong cybersecurity and cyber resilience postures that will help them identify, respond to and withstand any type of attack.
Image credit: BiancoBlue/depositphotos.com