The report was commissioned by cyber security firm Panaseer to get an insight into industry opportunity for proactive security and the hurdles that organisations need to clear to shift their strategies.
The report identified four main hurdles to adopting a more proactive approach to cyber security:
- A profusion of tools and data that complicates and often frustrates an effective strategy.
- An over-reliance on people to resolve security issues, and the unsustainable business model it represents.
- A “one-size-fits-all” mentality that leads to tools and processes being insufficiently flexible to serve real-world people and processes, often leaving security poorly aligned with business realties.
- Lopsided investments in reactive measures that often result from these failures.
Organisations need to acknowledge and overcome these four obstacles in order to embrace new approaches and make proactive security a reality, the report said.
It identified that opting to “monitor and respond” at the expense of “prepare and protect” is a poor strategy from the standpoint of security performance and cost, especially where the cost of containment and response can far exceed the investment in resilience.
This is clearly illustrated, the report said, by the global impact of the 2017 NotPetya outbreak, which ranges as high as $10bn, but the vulnerabilities exploited in many cases had already been resolved for years in many older operating systems.
And yet, prepare and protect efforts lag behind monitor and respond in many organisations despite security incidents that continue to be traced back to well-known, well-exploited and, too often, preventable vulnerabilities and exposures, the report said.
Scott Crawford, research director, information security at 451 Research and author of the report, said advances in data-gathering, rationalisation, analytics and automation have made a proactive strategy more actionable now than ever before.
“Organisational infrastructures are becoming more complex as billions of smart devices, coupled with a growing diversity of technologies, demands an approach that can scale,” he said. “Adversaries, too, recognise how their strategies must adapt.
“The risks are too great to ignore. The technology is available and so now is the time to take action before organisations become even more overwhelmed by the threats they may have to face tomorrow.”
Read more about proactive security
- Intelligence and forensics will become the most important differentiators for companies selling APT defence systems and services, says Frost & Sullivan.
- Business resilience should be proactive, not reactive.
- The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment.
The analysis by 451 Research supports recent industry predictions from Markets and Markets, which said the proactive security market is undergoing tremendous growth. The market is expected to grow from $20.66bn in 2018 to $41.77bn by 2023, at a compound annual growth rate (CAGR) of 15.1% during the forecast period.
Nik Whitfield, CEO at Panaseer, said the past decade has seen a huge surge in cyber defence technologies that support a reactive fireproofing approach.
“However, we have now reached a point where this just doesn’t work,” he said. “It is an outdated equation where you will never have enough resources to respond, as reacting costs much more budget. It’s like closing the stable door after the horse has bolted.”
According to Whitfield, if organisations are to stand a chance of combating threats successfully and addressing the compliance issues facing all industries, they need a different playbook.
“With limited budgets and resources, and demands for insight and proof, organisations must move from fireproofing to developing a robust, proactive cyber strategy,” he said.
With such a better coordinated view, organisations can deploy secure configurations more consistently, apply knowledge of vulnerabilities better across the landscape, and enforce appropriate privilege policies consistently, the report said.
Proactive security platforms focused on prepare and protect also allow security efforts to streamline processes and utilise people and their expertise better, the report said.
The report concluded that the need to “prepare and protect” will become more urgent as organisational infrastructures become more complex, with billions of smart devices, coupled with a growing diversity of technologies, demand an approach to security that can scale.