To say that 2021 has been a unique year for security is an understatement. While security leaders are hopefully close to having the pandemic under control in their organizations, ransomware is on the rise, the cost of a breach is increasing and many small- and medium-sized enterprises are being forced to put security front and center.
Complicating matters is the need to balance reopening the office and incenting workers who have been remote for two years to return. The world has changed, the “old way of doing things” will no longer suffice and the new “norm” means organizations don’t have the luxury to ignore security any longer. Security has made its way to the top of the priority list and it’s not going anywhere. However, the reality is that building out their security strategies will present obstacles and challenges. Let’s take a closer look at what security challenges small- and mid-sized organizations can expect throughout the rest of 2022 and how to address them.
Talented employees are hard to find, and the good ones continue to get more expensive to retain. Everyone has had talented employees resign because they were given significant salary increases and better titles by the next employer. This begins the uphill battle of finding comparable talent within budget and with no impact to commitments made to the leadership team.
Talent predictions for 2022
Security and information technology (IT) organizations everywhere are faced with similar challenges and are forced to make some difficult choices: Should organizations pay agencies to help find talent? Should they pay for talent they’ve sourced themselves and deal with the fallout later? Do they hold out to find the right candidate at the right price, even if it takes months? Do they train their employees internally only to have them leave in a year for that better title and higher pay?
This forces a focus on the outcomes. For security leaders, the objective is to reduce the likelihood of a successful cyberattack, or in the worst case, mitigate a successful attack before the organization suffers real damage. To do that effectively, security teams need the right resources to get it done. A recent study by (ISC)2 reported organizations would need to grow their security workforce by 65% to effectively defend critical assets. For small and midsize enterprises, this is not a realistic solution. Looking externally may be the best approach to achieving these desired outcomes. Leveraging third-party managed security services (MSS) and managed detection and response (MDR) vendors may be able to help supply the talent that an organization is unable to source.
While IT budgets are under pressure thanks to the rash of cybercriminals making the headlines, cybersecurity is getting some much-needed board-level exposure. Ransomware gangs are taking their proceeds and re-investing it in their criminal enterprises, essentially upskilling themselves. As a result, the visibility of cybercrime has resulted in an increased prioritization of cybersecurity initiatives, and cybersecurity budgets are being preserved and expanding accordingly.
The challenge facing most security organizations is the need to figure out what investments yield the best returns and identifying where those cyber dollars should be spent. The adversaries are constantly evolving and improving and, unfortunately, there is no silver bullet. When pressed, most security leaders don’t feel as though they are more secure this year than last. The past decade of spending confirms that the current strategies are either not working or aren’t enough. Can an organization accept the business risk of partial protection? For most of us, that answer is “No” — so what does that actually mean?
2022 budgeting outlook
It is no secret that a security strategy built solely on best-of-breed prevention tools is insufficient. To achieve an optimal security posture, balancing investments across prevention to handle known threats and broader detection to address unknown threats is imperative. When talking to mid-market organizations, many are in the process of making this journey, and the easiest entry into understanding detection starts with the endpoint solution.
Endpoint detection and response (EDR) tools have been a tremendous improvement over legacy A/V tools, and the explosive growth of the EDR market certainly backs that up. Over the last year, there has been a rise in the adoption of XDR tools, which extend visibility beyond the endpoint. The right detection strategy certainly leverages these concepts, but only protecting a portion of the potential threat vectors is not enough. The biggest problem is the false sense of security this could provide.
While deploying security tools such as EDR and XDR may improve an organization’s posture, tools alone won’t solve the bigger problem for most small and mid-size enterprises. Consider these two scenarios:
- What good are tools if an organization is unable to hire, train and manage the staff to take advantage of them?
- What if the staff a small- or medium-sized organization already have are too overwhelmed to absorb yet another tool?
Instituting the right balance of people, processes and tools based on organizational capabilities will yield more actionable outcomes.
There will always be tools offered to solve every single problem out there, but each requires dedicated talent and resources to evaluate, manage and maintain them — something that most organizations cannot afford. This is where a managed approach can stretch dollars and allow security teams to focus precious resources on tasks that are more critical and/or that add value to an organization.
Challenge: Changing environments
This is certainly not a new problem, and it speaks to the lack of processes developed between the IT and Security teams. Over the last two years, the stakes have gotten a lot higher. With the commoditization of ransomware, bad actors can attack targets with greater ease and get paid via untraceable cryptocurrencies, and it takes more time to identify and contain a breach. The constant mainstream headlines only embolden the adversaries.
Addressing environmental change in 2022
Ransomware will still be a problem in 2022 and beyond. With comprised credentials and misconfiguration serving as some of the most frequent attack vectors for cybercriminals, it’s no wonder ransomware continues to be a concern. Not surprisingly, in 2021, the frequency of ransomware attacks doubled from the previous year, according to the 2021 Verizon DBIR Executive Report.
Traditionally, patching has been the tried and tested method to proactively minimize vulnerabilities. This one is tough because patching has been a concern for a very long time, yet organizations still struggle to get it right. Even when alerted to active exploits happening in similar environments, users may remain unable to address their exposures. The process of patching was just too challenging.
It's easy to over-rotate to people and tools, however, the proper way to address this is via a three-step process:
- Maintain a proactive patching program
- Augment the program with a reactive emergency patching protocol
- Implement a comprehensive detection and response program to catch threats that evade the defenses
Many MDR vendors are building automated response capabilities. Addressing configuration issues and vulnerabilities has not historically been considered a core responsibility or capability for automated response. Response actions are typically triggered to address breaches and incidents. Security and IT teams have an opportunity to leverage response actions to service emergency patching. During active exploits, seconds do matter, and organizations do not have the luxury to wait until the next patching window. Leveraging existing instrumentation, complete with the requisite integrations, greatly simplifies that task. Many organizations may still not want to have fully-automated response actions, even in an emergency situation, but having a human-guided response option with a manual approval step could certainly address that concern.
This is the single biggest area for improvement that will yield the quickest results, yet it’s the one that is most often neglected because of the difficulty in coordinating between departments (process challenge) or the lack of sufficient resources to get it done (people and tools challenge). The process challenge of misalignment between teams can be attributed to shift in stakeholders. Historically, IT has called the shots when it comes to patching, but over the last few years, security has increasingly had a seat at the table and, in some cases, are now responsible for calling the shots on traditional IT processes. From a people and tools perspective, it’s important to note that organizations don’t have to do it alone. This is where MSS (patching) and MDR partnerships can provide the cost-effective option.
There are three big challenges facing organizations in 2022: Securing and retaining talent, paying for security and keeping up with changes to the environment. The common theme that cuts across all three of these is that, excluding the largest of large enterprises, it’s very difficult to manage all of this without help. Maximizing returns requires some out-of-the-box thinking. Take a step back and ask the critical question: Do your organization have the talent, budget and resources to effectively manage security at the scale your organization requires? If not, then it’s worth taking a closer look at managed services.
MSS and MDR solve different problems. Choosing what to outsource will help identify the right vendors to approach. MSS is suited for the management of existing tools (managed firewalls) and performance of dedicated tasks (like penetration testing), while MDR is suited to those looking for a more comprehensive detection and response approach to their security posture. The right MDR combines pre- and post-breach detection across hybrid and multi-cloud environments to not only reduce the likelihood of an attack, but to also reduce the impact of one. With the right combination of platform, threat intelligence and expertise organizations can effectively achieve their desired business outcomes.