I’d like to tell you a short story. When working with a client on its security provision, we discovered that it had only devoted 4% of its total IT budget to cybersecurity. “Let’s develop a solution with this 4%,” said the client. It was only at that moment that I realized that cybersecurity is often considered as something that does not yet exist. This is a common misconception, and in some ways, this is the fault of the cybersecurity industry.
So what is cybersecurity?
For a long time, the cybersecurity industry has been doing what customers needed: offering products to protect them from existing threats targeting their networks. Moreover, customers were ready to pay for it, and this is more than logical – if there is a problem, people are ready to pay for a solution. But, as a result, the industry has made no effort to provide customers with a clear understanding of what cybersecurity actually is. Protection of information systems was perceived as adding layers into the system architecture: build an IT infrastructure, put some security on top and you’ll be fine. IT was something that would speed up and simplify a few business processes, but not yet the backbone of business infrastructure.
Competitiveness, as well as effectiveness and profitability, did not depend on IT. As such, cybersecurity was considered as an optional not obligatory part of your business network, demanding an arbitrary amount of investments. People would only spend 4% of their IT budget on security because there was 4% allocated for ‘additional needs’.
Because of this, the industry just sold utilitarian products that worked with more or less any company servers and computers. The only difference between offerings was the number of endpoints and servers which needed protection, or for which budget was available.
Back then, the answer to the question “what is cybersecurity” was simple: cybersecurity is the software you buy to protect your IT infrastructure from malware. However, the modern business environment – at least when it comes to large enterprises – is transforming and so should the cybersecurity industry.
Today we live in an ultra-connected world. In an era of digital economies, where technology has become deeply entrenched in our lives, modern and efficient IT infrastructure is an integral part of any profitable business. When a business thinks about what kind of IT infrastructure it needs, it doesn’t consider how to apply it efficiently, but rather what business goals can be achieved with the technology.
In other words, businesses know exactly what objectives they are aiming at. They want to use the right tools. But, more than that, they are looking for experts to demonstrate and explain what should be done in order to achieve their needs; not just someone who will propose a unified solution that (supposedly) fits everyone.
Yes, modern cybersecurity solutions protect from all the major sophisticated cyberthreats. But that’s not a killer-feature anymore. Security software is rapidly becoming a commodity. Protection from any kind of cyberthreats is not something that modern businesses are looking for. That is something they already have, so it doesn’t solve their cybersecurity challenges.
What would solve them?
The new ultra-connected and digitalized business environment requires a specific approach not just to cybersecurity, but to the very process of accessing cybersecurity. The latter includes not only finding cost-effective security technology that performs well in security tests but also understands what kind of protection a particular business needs. By default, any business has little insight into what specific protection fences they need to build to mitigate emerging attack vectors.
Should a business prepare itself for attempts by Chinese or Russian-speaking hackers? Should they invest considerable money inexpensive solutions that would protect a particular part of the company from disruption? Or is the probability of such an attack so low, that it would be more profitable to have this risk covered by insurance?
Would the NotPetya malware have brought the same amount of damage if the victims had known in advance that – given the global distribution of their business – they should pay more attention to protecting themselves from supply chain attacks?
These and other questions are really hard to answer if you don’t have security expertise. On the other hand, as the experts, the security industry must cease to create one single product that addresses the myriad risks each different businesses face.
That is why the cybersecurity industry is moving from a realm of unified boxed products towards expertise-based, business-needs driven, unique solutions. As an industry, we must start to listen more to what clients are looking for, and we must start putting our knowledge about cyber threats into the context our clients are living in. This means creating specific, tailored and unique solutions to protect businesses from the threats they really risk facing. Not those that would have minimal impact on the performance of the core business IT systems and would be difficult to justify from a budgeting perspective.
The cybersecurity industry needs to learn how to minimize risks based on customer’s goals and desired results, not the threats that customers should be protected from.
Cybersecurity is no longer just about providing software protection from all possible cyber threats, be it malware, spam or advanced persistent threats (APTs). It is not what you buy, but what you get. Previously, a notification from a security product about malware being caught on an endpoint was a sign that you were protected; proof that you made the right investment. Today, a wisely built IT infrastructure armed with specific protection technologies is astonishingly expensive and not cost-effective. It is pointless cybersecurity. A better indicator of cybersecurity is the fact that you didn’t lose a penny due to cyber-incidents in the last quarter.
So, is it realistic to build proper cybersecurity with a limited budget?
Of course, it is. But with one important condition. This budget should be estimated as a result of expert cooperation between a business and an information security vendor. If a company’s IT infrastructure is a vital mechanism that ensures the business functions, then the cybersecurity industry is a vaccine to give this mechanism immunity from problems threatening it without causing any side-effects.
Alexander Moiseev is the Chief Business Officer of Kaspersky