Op-Ed: More isn’t always better in cyber security

There are many reasons for this misalignment, but it’s mostly the result of four pervasive myths that are based on the perception that more — data, technology, people, and control — will deliver better protection. Believing these myths leads to increased effort and misalignment, and prevents cyber security functions from unlocking their true value, inhibiting security program effectiveness.

Myth 1: More data

More data and risk analysis doesn’t drive better protection. Despite the investment of much time and money across the industry, a recent Gartner survey found that only 36 per cent of cyber security leaders were able to drive action using cyber risk quantification.

Instead of more risk analysis, savvy cyber security organisations are pursuing an approach that Gartner calls “minimum effective insight”. That means bringing to the table the least amount of information required to draw a straight line between the enterprise’s funding of cyber security and the amount of cyber vulnerability that the funding can address.

Every enterprise aspires to risk-based decision making. Minimum effective insight enables that. After all, an enterprise’s cyber risk appetite is what is left over after it funds cyber security.

Myth 2: More technology

While it’s true that cyber security functions cannot operate without extensive technology, there’s a pervasive belief that “around the corner is something new that will be better than what we have”. This leads to a build-up of tooling without, in most cases, a commensurate improvement in cyber security.

Instead, leading cyber security organisations are pivoting from “more technology” to a “minimum effective toolset”.

VIEW ALL

From an architectural standpoint, this means pursuing vendor consolidation strategies and embracing more convergence and composability within security platforms — rather than relying on best-of-breed but loosely coupled cyber tools. This approach helps cyber security push past the myth of “more tools” by installing new design principles into the security architecture.

The minimum-effective-toolset approach enables cyber security to be very critical when evaluating either what they have or new solutions, and only keeping or incorporating tools that add sufficient value to make up for the effort required to manage them.

Myth 3: More cyber security professionals

Australia is in the midst of a cyber security skills shortage, and it’s wishful thinking to believe that organisations can hire their way out of this crunch.

Every cyber security function has an open headcount, and every business is frustrated by the need to queue up for access to limited cyber security expertise. According to (ISC)², there is a need for almost 40,000 more cyber security jobs in Australia (and more than 2.2 million in the Asia-Pacific region) than there are experts to fill them.

That demand for cyber security expertise is unlikely to stay flat. As more technology and analytic work is done outside central IT functions, the skills gap is only going to grow. Finding more cyber security professionals isn’t the answer. Stop focusing on mere cyber security awareness and pivot to building cyber security competence in the workforce.

Take a “minimum effective expertise” approach using a combination of technology and training for employees to make risk-informed decisions autonomously. According to Gartner, employees with high cyber judgment are twice as likely to avoid introducing additional risk when pursuing digital objectives and are more than twice as likely to create value from those efforts.

Myth 4: More control

We know that most cyber security incidents have a human element. However, putting more controls on employee use of technology and data to reduce risk can have the opposite effect.

Gartner’s latest employee benchmarking clearly shows that most employees behave unsecurely, acknowledge having done so and point to the friction they experience when using cyber security controls. Put plainly, in many cases, it’s more difficult to do the right thing than the wrong thing.

Taking a “minimum effective friction” approach can reverse the unsecure behaviour caused by cyber security controls. Some good examples include reducing the number of logins needed using password-less approaches like passkeys; or applying single sign-on with adaptive access controls to prompt users with multifactor authentication, only when risk thresholds have been crossed.

More broadly, organisations should include “friction checks” in the life cycle management of their cyber security controls.

By busting these four myths and pivoting to a “minimum effective” mindset, true value can be unlocked. This will positively impact how cyber security teams engage with decision-makers, think about cyber security talent, and support the broader enterprise workforce.

Leigh McMullen is a distinguished vice-president, analyst and Gartner fellow in Gartner’s security and risk management team. Leigh will be speaking at Gartner IT Symposium/Xpo on the Gold Coast, 11 to 13 September.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.