Navigating the complexity of the cyber security solutions market. ...And a few things to avoid.
As someone living in the cyber security industry, I can confidently say that the marketplace for services, software, devices and more has become increasingly complex. But why is that? One would think that as cyber security threats become more severe, the solutions market would, at the very least, become more easily navigable. But alas, it has not.
Instead, the market is fractured into disparate camps—ranging from the simplistic old-school appliance mindset to precise solutions. As a result, it takes seasoned cyber security professionals to discern which is best for an organization’s infrastructure. Oh, and don’t get me started on services.
To illustrate the vast differences, here are a few examples of types of organizations and how they may or may not choose their own cyber security approach and subsequent solutions.
The first type of organization falls into a camp that I call “the entry-leveller.” Now, please understand that it is not a disparaging remark or attack. Instead, the comment is to grade an organization’s current cyber security mindset or posture.
These environments are typically constrained by one of two things: budget or know-how. And in some instances, the organization may be simply low on cash flow and expertise. Countless start-ups easily fall into this category. It’s by no fault of their own, but simply due to resources. The unfortunate reality of these organizations is that it becomes not a situation of “if” but “when” they will suffer an attack.
Worse yet, the burden of security often falls on the individual employees. The leaders do their best to educate their people on the dangers of cyber criminals and hope that attacks are stopped before anything devastating happens. More often than not, “the entry-leveller” will also encourage strong passwords and the habit of changing them frequently—a good start. Each of these steps above costs nothing and forms an essential foundation.
It’s also here that we often find software and appliances in place to keep the proverbial wolves from the door. It’s everything they can afford, but sadly nothing more.
The second type of organization is what I often call “the diligent”—companies that do everything right as their peers and trusted vendors prescribe. It’s here we find the commonly accepted practices of the day. In addition, they have the right appliances in place, a collection of software-based solutions, solid processes to manage many types of cyber attacks and even consider compliance. All-in-all, these types of organizations have the people and monetary resources to do a good job.
Then, of course, there is “the elite.” These companies have not only the people and resources but also believe that external partners must be engaged to truly “lockdown” the organization at every level. Potential practices include penetration testing, ongoing education, highly-focused solutions for precise cyber requirements, and more. Oddly enough, the monetary resources are not so different from “the diligent” camp—only differing approaches and desires. The “diligent” can become “elite” if they so choose.
Lastly, though I did say not to get me started, I will point out one severe issue in the world of cyber security—the “all solutions under the sun” vendors that can do more harm than good. Let me explain. I could name hundreds of these types of companies—usually toting a moniker of “advanced business solutions” or the like, whereby cyber security is just one of many divisions within their organization.
Business solutions companies are usually only motivated by product skew sales, often paired with little-to-no cyber security prowess—this is where the danger resides. They convince the general business population that a mix of their product lines is the ultimate solution. The approach, in turn, creates a false narrative and even a potentially false sense of security. These companies at most have representatives with basic security knowledge who are closer to general business analysts than real hackers. And, to be clear, I’m not saying products are somehow harmful—far from it. On the contrary, they have a critical place in cyber security infrastructure.
I am saying that before you buy another product, work to understand and create your cyber security posture. Every company is different and requires different methods, products and services to stop cybercriminals. To accomplish this, make sure that the companies and teams you engage are actual cyber security experts.
More so, make sure you cover both camps. To implement solutions engage with well-trained, well-versed security engineers and defence security professionals. Also, ensure that you have real hackers on your team to identify all potential issues or gaps created during implementation.
It’s time to think like an attacker and make the right decisions for your company’s safety, security, and longevity.