Are you over-investing in security?
It's been twenty years since Donald Rumsfeld made his infamous 'unknown unknowns' statement, a somewhat tortured yet accurate expression of a complex situation. The argument that there are known knowns, known unknowns, and unknown unknowns is also a perfect summary of cybersecurity.
Digital security battles criminals who continually adapt their methods. While we accept the myth of the Hollywood hacker - a nerd in the basement feverishly typing commands as a countdown clock narrows their opportunity - real cybercrime is very different. Cyber criminals use a blend of guile, deception and patience to compromise their targets.
These criminals bide their time and look for easy marks. They operate in the shadows, and they only need one break to cause havoc. Meanwhile, cybersecurity staff try to anticipate and stop each of those opportunities. Herding cats, whacking moles, cutting heads off a hydra - choose your analogy because they all ring true to the situation. There are a lot of known unknowns and unknown unknowns.
Astute companies want to prepare for this, so they add security services. But no 'one' security system will give you maximum coverage. Specialisation works very well to prevent known and unknown attacks. The best approach is to add multiple security services focused on different threat areas, integrated to create a single security mesh that deflects criminals and limits the reach of a breach.
The best security is layered security. But the temptation to keep adding new security systems paradoxically weakens protection. You find a hole, so you close it with a new service. On paper, this is smart. In reality, it can make your security worse and more expensive, as you have to contend with more gaps and costs resulting from poor integration.
This challenge is called the security complexity problem, and some commentators already regard it as the biggest threat to modern security. They have a point: modern businesses rely on a rich mixture of technology systems and services. Complex systems can have many holes - unknown unknowns - and criminals want to find those holes.
Problems occur when new security systems aren't sufficiently designed and configured to cover all the targeted risks. Poor integration with other systems, delays in patching and security staff shortages aggravate the situation. We can blame other factors, too: an obsession over compliance or a 'silver bullet' mentality are common pitfalls.
It is very easy to overinvest in security, thinking you've made gains, yet instead, you're making it easier for the bad guys. If you choose technology ahead of people and processes, you end up with complex security that dilutes your protection. Chances are that you already sit with most of the capabilities to be very secure - they simply aren't properly implemented and managed.
Before making new security purchases, audit your security systems and their integrations. Use an agnostic platform that gathers metrics directly from each security service, combining the findings in a single report. You can get individual findings from every system and consolidate their data, but that will take many weeks because of different reporting standards. A single-view audit and report platform, such as Encore, creates actionable feedback in near real-time. Then you will discover systems that are underperforming or duplicated. Fix those first to save money and raise effectiveness, allowing room to motivate any new additions if necessary.
It's easy to fall into the trap that more security means better security. When fighting unknown unknowns, it starts feeling normal to shoot into the dark. But untamed security complexity works against you. So, stop and ask: am I overinvesting in security? Answer that question first before making your next addition.