Dave Cartwright is the Head of Technology Operations & Risk/Chief Information Security Officer at Santander International and the keynote speaker at the 2023 ITC Cyber Summit.
In this blog, Dave provides his insight on the importance of getting the basics right, how the deployment of multiple security tools can be a challenge, and why throwing money at the problem is not the solution.
I’m lucky enough to be asked to speak at conferences from time to time, and I couldn’t pass up the invitation from ITC Secure to give the keynote at its 2023 Cyber Summit – an annual event designed to address the biggest cyber security trends and issues affecting organisations today. The question I was there to answer was: how do we implement decent cyber security without simply throwing money at the problem?
Now, my first job after graduating was in IT support at a university. And in the 1990s – long before the introduction of exorbitant tuition fees – funding for IT kit was tight. We had seven computer labs to keep running – which meant renewing the kit in at least two of them most years, to keep it current – and a budget that was a long way short of six figures. So, in career role #1 I learned a valuable lesson: make the most of the funding.
Wind the calendar on 30 years, and that principle has stuck with me. These days I work in banking cyber security, so budgets are commensurately more generous, but they are still a long way from infinite. And I suspect most people reading this have an OK budget, but would still like more. How can we make the most of what we have, then?
Pitfalls on not getting the basics right
Well, the first mistake you see is where organisations spend money on security, but then don’t get value from it. And that’s generally not because the systems are rubbish (lousy IT kit vendors seldom stay solvent for very long, so most stuff out there is fairly decent) but because we have an inadvertent tendency to “install and forget”. By all means spend a quarter of a million on (say) a new SIEM solution, but if you don’t have the resources to monitor what it’s telling you, and/or to take action on the outputs, you’ve wasted your money.
And there’s a side-effect on spending time looking for new systems and justifying the spend to the bean-counters: we have this inherent desire to look for shiny new toys but forget the less exciting stuff we already have at our disposal. Many things we buy have defences built in – often at no extra charge – which we just don’t use properly. Implementing an operating system that comes with a world-class anti-malware product? Turn it on. And if the basic version is free but there’s an extra charge for the enterprise management suite for it, consider spending the money on that rather than on a completely separate AV suite. Most of us have loads of free or cheap stuff at our disposal which we disregard in our quest for bigger and better offerings.
Then take a look at good old Cyber Essentials. It tells us to do all the basic stuff – use a firewall, change default passwords, implement AV software, keep system and software updates current… it’s all very simple in theory, but it’s similarly easy to do in practice. Yet we still find routers with administrator password “admin”, and just as we find them, so do the bad actors. After all, the latter have to expend no effort to do so – they just set an automated robot to probe thousands of systems and wait a minute or two until it’s found some credentials.
Everything in these last two paragraphs can be done with (in the worst case) modest investment, and much can be achieved with zero money and just a little time and talent. So just get on and do it. Incidentally, there’s a tendency in cyber circles to trot out phrases like “risk-based approach”. And while risk assessments have their place, the fact remains that you’re never going to do a risk assessment where the outcome doesn’t lead you (say) to implement anti-virus software – so get it implemented rather than mucking about doing an analysis that’s only ever going to have one answer.
Making the most of your security investments
The general view in the cyber profession is that just doing the Cyber Essentials basics can defend you from up to 80% of attacks – which is pretty good at the price. But then at some point you have to consider what more you need to do. And here’s where you can do your risk analysis, because it’s where you (by which I mean senior management) need to start weighing risk against cost. Getting to a defence level of around 80% is pretty trivial, but getting from there to 85% will generally cost an order of magnitude more in both time and money.
The next 5% step to 90% will be even harder than that. Hence you have to provide management with analysis, facts, costs and recommendations and help them agree a risk appetite and a budget (and, most importantly, to get these two things to align and to remember that you might need new people as well as new hardware and/or software).
At this stage, some organisations make the mistake of buying top-of-the-line cyber security technologies but then lack the skills, expertise, and resources to configure and use them to their full advantage – an issue compounded by the cyber skills gap of more than 3.4 million professionals globally.
As a result, many organisations turn to managed security service providers (MSSPs) to remove the burden of deploying, configuring, and managing their security across multiple environments. MSSPs provide 24×7 threat detection and response capabilities, as well as the expertise needed to properly configure and maintain security technologies. In addition, MSSPs can help organisations keep up with the ever-changing landscape of cyber threats resulting in a greater ROI. And if you’re paying an MSSP to manage part of your estate, you stand a decent chance of them having the people they need in order to exploit the investment that’s been made in the tools and applications.
Always seek to do more with what you have
When you’ve done this, off you go and implement what you need to. But then use it properly. Do your regular checks, have a regime of responding to alerts, get on the “front foot” and be proactive in finding new things you can do with the expensive stuff you’ve bought. Get as much value from it as you can.
But never lose sight of the potential to do more with what you already have in parallel. In my ITC Cyber Summit talk I gave the example of a security reporting system I used in a previous job. It was all about user access reviews, and while we could have gone out and spent big money on a commercial solution, we instead used a combination of PowerShell, SQL Server and Power BI, (all of which we were already licensed for) and the only additional spend was on 12 weeks of a Power BI contractor because our in-house resource was at capacity. It reduced manual effort of user reviews by maybe 80%, and paid for itself in weeks.
So yes, security isn’t free. In all but the smallest organisations you will need to spend money on it. But in order to be reasonably secure you don’t need to spend much money – so make the most of what you have, and focus your significant spend on additional things you need, not cool-looking things you want.
To watch Dave Cartwright’s full session at the 2023 ITC Cyber Summit, visit the 2023 ITC Cyber Summit on-demand page.