Can you actually cut costs on IT security?

Firms that spend more on IT security aren't necessarily better protected, says Foursys' James Miller

IT security is clearly a large and growing area of company expenditure, and that was before the recent breaches at TalkTalk and now Vodafone.

But does spending bigger on IT security mean that your organisation is more protected?

I would argue that it doesn't.

Some would say that cutting money on IT security is a bit like the government cutting back on police budgets. But to say that the costs associated with these services should always rise, and that no review should ever take place, is surely a little narrow-minded.

Independent research conducted by IBM (2014) stated that "human error" contributes to nearly all cyber incidents.

And that "forms include system misconfiguration, poor patch management, the use of default usernames and passwords - or using poor passwords - as well as lost laptops or mobile devices, according to the report".

So if human error contributes to so many cyber security issues, surely before organisations get out the cheque book to pay for another security system, a review into how to better manage IT security as a whole and the associated costs should take place.

Responsibility

Assigning responsibility is usually a good way to ensure things are taken more seriously. Where a team has responsibility, that often means no single person is actually taking IT security seriously. I know of one organisation that made the CIO's bonus, in part, attached to ensuring protection against cyber security attacks. All of a sudden, a raft of new and improved security practices were implemented.

Vendor consolidation

Vendor consolidation is also a powerful way of ensuring management is simple (typically through a common interface, thus reducing the chances of human error) and the more you buy from a single vendor, the bigger the savings you can get. Sometimes purchasing five or six security modules or products from a single vendor can save tens of thousands of pounds.

Some might say "surely it's bad security practice to buy all or most of my security products from one vendor; that's going to increase the risk of a security incident?"

Let's suppose your team has the following (for argument's sake):

Check Point for firewall, Cisco Port for email, Bluecoat for web protection, Kaspersky for AV, Becrypt for encryption, Juniper for VPN and Aruba for wireless.

How does your IT security team stay on top of best practice configuration for all these systems, while looking after Windows servers, desktops, Office, iPads, printers and so on?

It doesn't. There are too many consoles, too many systems, and no small team can properly stay on top of all these individual products. As the IBM survey stated, "human error" contributes to nearly all cyber incidents... I wonder why.

Simplifying this approach through today's unified threat management systems means that management and policy maintenance is typically done in one solution, thus there is much less chance of a mistake because engineers have just one solution to manage. I know I'm biased as I work with a vendor that has such a solution, but even if I were an IT manager, I would need to be open to getting maximum security ROI.

Trusting more with one vendor doesn't automatically mean that you are lowering your security protection. None of those point solutions stated above talks to each other and shares security intelligence. They are just point solutions that all work in complete isolation, and are therefore inept at sharing threat intelligence.

Some of today's unified threat management systems share security technology to cover each security area and even with the end-point to provide greater intelligence. So, for example, UTM technology that could tell the end-point to terminate a malicious process is years away, you would think - but you'd be wrong.

I am not aware of any of the security vendors (even the biggest ones) that don't buy in certain security modules from other providers. Just look at how many security systems were affected by Heartbleed; many used Open SSL somewhere.

However, I view this as a good thing because you're getting multiple lines of defence from a single vendor, but with multi-vendor tech included. Some UTM providers also include dual anti-virus, so you even get two layers of defence on direct malware analysis. You can also get vendor consolidation pricing and easier, simpler management. And those savings could be invested in other areas of security that previously couldn't be afforded (possibly third-party patch management).

Surely smarter use of existing spending is a better way of protecting our networks, reducing the complexity of network security management and ensuring we have adequate funds to invest in areas of security that are not currently being protected?

What are your views?

Do you think consolidation is the way forward or are you strongly in favour of point solutions?

James Miller is managing director of Foursys