Cybersecurity is an all-over kind of problem. You need to be prepared for anything because attackers can change their strategies on a dime.
The potential for rapid change makes it hard for IT and security leaders to put effective cybersecurity plans in place and acquire the right cybersecurity technology to deliver that plan.
No one has an unlimited budget for cybersecurity. When you’re putting together your strategy there are always trade-offs, and sometimes the trade-offs seem impossible. But with forethought, planning, and careful management, you can turn those impossible trade-offs into intentional choices.
What is an impossible trade-off?
So, what do we mean when we talk about impossible trade-offs?
Consider one common tactic – sometimes proposed by vendors that don’t understand your real needs – to take an incremental, ‘ordered’ approach to security preparations.
A vendor might suggest, for example, a quarter-by-quarter or vector-by-vector approach, tackling one area at a time, spreading out both the work and the budget. One quarter they might work on protecting endpoints, and the next on ransomware prevention, for instance.
The problem with this approach, however, is that it brings about ‘impossible’ trade-offs. How can you choose to address one security vector over another and feel like you’re doing the best security job possible? All an attacker needs to do is adjust their strategy and target a vector you didn’t secure.
However, the flip side of this example—addressing all vectors at once—is also a problem. You need to protect all vectors simultaneously, you can’t afford to do so, but you also can’t afford not to do so.
Trying to secure all vectors forces organizations to stretch their resources, giving every area some coverage but none of them enough.
Other impossible trade-offs reveal themselves later as gaps, inefficiencies, depleted budgets, or as vulnerabilities that come to light through headlines in the news after a high-profile breach.
So – where do we go from here?
How then can we manage our impossible trade-offs to make them into intentional choices?
First, do a complete and accurate assessment of your current situation. Where are you now in terms of your security preparations? Identify the critical threats to your industry and the key threats to your specific systems and configurations. Something that might aid you in this is our blog on Threat Modeling.
Second, perform a thorough gap analysis. Identify gaps in people, processes, and technology. Assess risks to inform next steps, such as technology purchasing decisions.
And third, come at the whole process with an attitude of intentional planning. Through planning and intentionality about your trade-offs, you have far better control over them. Seemingly impossible trade-offs become “possible” ones, and a more reasonable path forward is found. Note, this planning process includes allowing room (in your budget) for contingencies - some trade-offs are only impossible because your budget was spent all in the first quarter.
Making the impossible possible
To secure your business while making these intentional security choices, recognize three core areas that comprise your security maturity and readiness: threat intelligence, data monitoring, and proactive preparedness (such as pre-emptive efforts to harden your systems).
Then take stock of three approaches that you can use to tailor your approach to address gaps, vulnerabilities, and harden your system:
Weigh the trade-offs between these various approaches against your known gaps and vulnerabilities very carefully to determine the best solution. And remember: the three methods above are combinable in different ways depending on your organization’s specific needs (and budget).
Recognize, too, that you can’t do everything in-house, that you can’t do everything at once, and there is no perfect order to tackle these tasks (no matter what any vendor tells you).
Instead, make your funding allocations smarter by choosing the right approach to address the right vectors. For example, your gap analysis might reveal you don’t have detection and response capabilities. You could outsource with an MDR provider to address that gap.
Likewise, you might have a vulnerability scanner, but what if you don’t have the in-house resources to remediate those you identify? In that case, you would benefit from a co-managed approach.
Whatever the specifics of your situation, you need to solve those three core areas in ways that turn impossible trade-offs into reasonable, intentional compromises.
Download our free whitepaper
Want to make your trade-offs more possible through intentional planning? To get you there faster, we’ve already done a lot of that trade-off analysis for you. Our white paper covers pros and cons of each approach against the three core security functions, so you can easily see where your best options lie and make a plan that’s tailored to your situation.
Download your free copy of the whitepaper now. Click here.