Finding the balance between spend on talent v.s. cloud security tools
Not long ago, it was common for executives to write blank checks to their IT departments for them to go buy whatever security tools they needed to secure their data – with almost everything getting approved. Those sloppy approvals meant ineffective—and sometimes unnecessary—tools were purchased. Security defenses never work well when everything is recklessly thrown at the problem.
It needs—and always has needed—a much more disciplined approach.
Fast forward to 2017 and there’s a sort of hangover after this binge, as these companies are beginning to grapple with the complexity of these tools.
One key reason this strategy failed to deliver is that many did not give sufficient weight to the fact that tools are just one element of a well-thought-out security approach. It also takes having the right talent to make sure it works and can be integrated into their pre-existing infrastructure.
The full cost of security
The lesson these organizations should’ve taken from this experience is that security tools aren’t as effective without the talent to properly manage them. However, acquiring that talent has its own complicating factors.
By merely adding security talent to your headcount, you run the risk of repeating the problems from a few years ago – when companies went on security tool shopping sprees.
The full cost of security, both in dollars and manpower, is beginning to weigh heavily on the same executives responsible for this overconsumption. Fortunately, most are no longer just throwing money at the problem – a trend evident in the decreasing value of many major publicly-disclosed security companies. However, this is more of a cutback from overspending instead of the type of “smart spending” that yields effective security programs.
More than security tools
So, where is that sweet spot for “smart” security spending, balancing security tools and talent? Also, how do we keep from falling into the same trap of “spend till you feel secure” but this time with talent instead of tools?
For most, it’s through a managed security provider. Purposefully-staffed with expert talent and stocked with a selection of tools carefully-cultivated for their effectiveness, they eliminate the need to develop your own ad-hoc, in-house security program.
Not only does this strategy allow for headcount avoidance – by far the costliest aspect of cyber security – it provides the best ROI on security. This is especially true if your core business competency isn’t cyber security.