Security Market Segment LS
Saturday, 27 June 2020 14:05

How security teams can find funding longevity

By Jim Cook

GUEST OPINION* Jim Cook Attivo Networks.   Security traditionally leans on risk and relationships to get the job done, but could use some stronger metrics to show its efficacy and value

Security operations centres are a critical line of defence for many organisations against the threat of attacks, data breaches and other security concerns.

Yet research shows the SOC is allocated less than one-third of the total IT security budget, on average. What can be done to change this?

It’s worth considering what we know about how security, and a SOC in particular, justifies its existence, budget and organisational value.

A well-resourced security operation is a risk offset - a type of insurance. How much risk are you taking and what are the consequences if you don’t invest?

Risk continues to be a useful justification for security spend given the number of high-profile companies that keep getting pwned, and growing acknowledgement of the certain attack types in the forward-looking risk factor statements of listed entities.

Over the past decade, we’ve seen methodologies like the return on security investment (ROSI) try to quantify what this risk looks like in real dollar terms, though many of these methodologies fall short on delivery.

“CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit,” writes Attivo Networks’ Chief Deception Officer Carolyn Crandall.

But risk is not the only path to security budget. A SANS Institute presentation suggests the first 80% of the budget battle is to “find a friend” in the C-Suite and show them “how investments in the SOC act as force multipliers.”

Proving that any security spend is a force multiplier is already hard to quantify with existing methodologies.

Additionally, by pinning future hopes of investment on executive visibility, one must bank on the executive’s tenure being long enough to produce a sustainable funding outcome; CEO turnover in Australia last year was 21.9%, according to PwC figures.

Achieving longevity of security funding may require us to step away from opaque costing of risk and a reliance on executive relationships, and instead find better ways to price and value what it is we do.

Two possible measures come to mind.

First, it may be possible to quantify the cost of not containing an attacker at the perimeter of the corporate network where their ability to inflict damage is still somewhat limited.

Recent Mandiant research showed 54 percent of early-stage attack tactics are missed and 53 percent of attacks “successfully infiltrate environments without detection”.

Dwell time - how long an attacker is able to remain undetected before being discovered and booted out - has drastically improved over the years, down from a median of 418 days in 2011 to 78 days more recently.

Ideally, attacks are detected quickly and contained to a point where the attackers (and their motives) can be safely observed without impacting operations.

Deception Technology layered over traditional endpoint protections such as endpoint detection and response (EDR), firewalls or intrusion detection prevention (IDP) systems provides one way to create that containment.

An attacker can be lured into engaging with fake credentials, data and systems, leaving them with an impression they are making headway while they are, in fact, firmly sandboxed at the periphery.

There is a clear benefit from not letting an attacker break out from the first system they hit. However, more work is needed to model this as a tangible value of security investment.

Second, it may be possible to put a price on security alerts: or, more to the point, on the value of alerts produced by different security systems.

SOCs handle masses of alerts, yet many of them aren’t particularly useful. Mandiant’s recent research pointed to only 4% of reconnaissance activity and 9% of attacks actually generating alerts.

Of alerts that are generated and received, up to 82 percent are never followed up, one security industry analyst mentioned to me recently.

Security teams have long desired a way to cut through the noise and false positives to get to the most sensible and serious alerts. Some systems do this better than others.

There is an overall productivity enhancement to be had from receiving only high-fidelity alerts that are actionable or even automated - so that if ransomware, for example, is detected, you can automatically prevent the spread.

The fidelity of alerts from Deception Technology platforms can be extremely high, because there is no chance of false positives. Nothing legitimate should ever touch a deception environment.

There is no business-as-usual value in deceptive credentials, data or systems, which means they won’t ever be found except by those that come looking.

*Jim Cook is the, ANZ Regional Director at Attivo Networks

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News