Looks like cyber criminals are pretty smart after all

New research has shown enterprise organizations are beginning to accept that they are not as smart as cyber criminals, and investments over the course of 2017 will reflect this.

According to Gartner, investment in security will begin to move away from prevention-only approaches to focus more on detection and response. This is expected to be a key area for decision makers through to 2020, as security spend is predicted to top $113 billion worldwide by this point also.

“The shift to detection and response approaches spans people, process and technology elements and will drive a majority of security market growth over the next five years,” said Sid Deshpande, principal research analyst at Gartner.

“While this does not mean that prevention is unimportant or that chief information security officers (CISOs) are giving up on preventing security incidents, it sends a clear message that prevention is futile unless it is tied into a detection and response capability.”

While this could be perceived as a damning verdict on the skills of in-house security professionals, it is simply a case of practicalities. No matter how many defences you put up and how well fortified your perimeter is, someone will eventually find a way in if they look hard enough. It is a simple case of human innovation, which in this context is very negative, but if you present enough people with a challenge, someone will eventually find the answer.

Although there has seemingly been a stubbornness to accept this principle in recent years, the industry does seem to be accepting of it. Perhaps the number of data breaches over the last twelve months have hammered home the fact that there is no such thing as 100% secure, but it corrects a perceived arrogance which may have been in place in a number of the victim organizations; if we are impenetrable, what’s the point in investing in detection and response capabilities?

Telecoms.com is not saying anyone in particular was purposely arrogant, but perhaps the intelligence and creativity of cyber criminals was underestimated?

The research does indicate the idea that there is no such thing as 100% secure has finally filtered through to decision making powers in the enterprise organizations however. Gartner notes a number of new product areas including deception, endpoint detection and response (EDR), software-defined segmentation, cloud access security brokers (CASBs), and user and entity behaviour analytics (UEBA).

As the shift moves towards a more balanced approach of prevention and detection/response, the security strategies are also changing. Here we see more intelligence being incorporated into the security platform. For example, preventive security controls, such as EPP and firewalls, are being tweaked to provide more intelligence into security operations, analytics and reporting platforms.

“CISOs are keen to communicate the return on investment of their security strategy in terms of the business value associated with quick damage limitation, in addition to threat prevention and blocking,” said Gartner’s Lawrence Pingree.

“The key enabler for CISOs in this endeavour is to get visibility across their security infrastructure to make better decisions during security incidents. This visibility will enable them to have a more strategic and risk-based conversation with their board of directors, CFO and CEO about the direction of their security program.”