On a typical Wednesday morning, a cloud security engineer enters the office at about 8:00 AM and spends the next two hours culling through e-mails and text messages that report on minor security issues that occurred over the last 12-24 hours.
These messages usually include things like phishing attacks where a small group of CRM users had their passwords compromised, failures for backups that exist to protect against ransomware attacks, password aging issues with the executive team that causes too many of them to put their passwords on their monitors with sticky notes. You know, a normal day in the life of a computer security professional, both for cloud and on premises systems.
Humans are Fallible
Most security issues involve humans to identify and/or solve minor problems as well as the major ones. Breaking news: Humans are fallible. A study by Ponemon and IBM indicates that misconfigured cloud servers cause 19% of data breaches. This is an expensive problem with an average cost of half a million dollars per breach. This does not take into consideration the potential PR nightmares that could take down a company (and have in the past).
The pandemic relocated many employees to at-home offices. As a result, most of the world accelerated their migration to the cloud, which is considered pandemic-proof. The cloud typically means system modernization, and often offers more modern security measures than most on premises platforms. However, this rapid migration resulted in some security mistakes or security oversights that have yet to be identified and corrected.
So, where does proactive security fit in? Simply put, proactive security is the ability to automate most of the security operations processes and mechanisms to prevent most attacks by putting up a defensive posture ahead of the attacks.
Proactive security can be done passively, which means an assumption that this type of attack will take place and the systems proactively puts up a defense that is most likely to succeed. For example, we define a defense against ransomware attacks to defend the systems on an ongoing basis.
Or, and more commonly today, we define and implement an active defense. This means the ability to detect issues and automatically stand-up proactive defenses. The security systems take an educated guess, typically using AI systems, to determine a likely attack as it happens, and then it puts up an effective defense.
For example, the AI system bound to your security automation systems can consider external attack reports that continuously come in for news feeds. Using this information, they can find patterns that show likely attacks when they occur, and ways to stop them.
Defining the True Business Value
What we’re waiting for is the metric that defines the damages an enterprise avoids if a security solution pushes off a single breach attempt. An expensive security system can pay for itself if the amount of money lost around potential breach damages and the resulting PR problems eclipse the initial and ongoing costs of the system.
However, most businesses won’t accept this what-if accounting as a true way to measure the value a security solution, proactive or not. Most finance departments (and as their reports go up the chain, most board members) want to understand the hard transactional dollars saved versus the soft benefits involved in a mythical tragedy that may or may not happen.
The best way to satisfy the bean counters is to define the value of a proactive security solution with hard-cost savings the enterprise gains by proactively automating the enterprise’s cloud and non-cloud security systems.
One of the easiest and most profitable points is to remove most of the human processes from the equation. A lower number of people required to deal with SecOps (security operations) issues typically results in a big and easily defined cost savings over time.
To build a business case for the use of proactive security technology with hard-cost savings, we advise that you focus on these areas:
- The reduction in manpower to drive SecOps. When you automate so many security processes to provide a proactive security posture, you can remove the people who drive these daily processes and thus save money.
- Fewer people in the process means that human error is less of an issue. Most security issues can be tracked down to mistakes made by people, not technology. Most of these are small issues that add up, such as forgetting to shut down an account that can be flagged in an audit that results in fines.
- Finally, abstract the ops teams away from complex security solutions. Most cloud and non-cloud security solutions today are very complex and require specialized skills to operate them. This leads to errors if you lack the necessary knowledge, and additional costs because complex systems require more specialized staffing to deal with them, such as different talent needed for different cloud-native security systems. Focus on leveraging a security system that crosses systems and clouds and can provide an abstraction layer between the ops teams and the complexity of the security solution. It’s a clear money saver.
How Much Can We Automate?
If you had enough time and money, you could automate almost all security processes and thus be nearly 100 percent proactive. In the real world of budgets, the team in charge of security automation technology needs to consider how they can setup the system to meet the most likely needs of the cloud and non-cloud solutions.
When you pick a tool, it’s not about how well the tool does in relation to industry expectations, it’s how well the tool will automate security for your specific system configurations.
Enterprise security teams will often pick well-ranked identity management systems, encryption systems, and security automation/management systems, and other security technology the enterprise may not need. Eventually they’ll realize that certain automation opportunities don’t exist for the types of systems they want to protect. To avoid this problem, insist on pre-purchase acceptance testing that includes sample automations in and between systems.
Once you pick the right security automation tools, money is the other obvious issue. How much can you invest in this automation? Remember: Security automation is merely a technology platform, one that requires heavy customization to be proactive. This usually means months of development to reach a state of true proactivity. This is where the majority of the investment needs to be made.
Once you remove most system inefficiencies and human errors by using proactive automation, the system can keep the company out of the 24-hour news cycles. Getting there is still difficult and costly, but the results are worth it if done correctly. At the end of the day, optimized proactive security strategies and technologies offer enterprises much more for much less.