Skip to main content

Don’t go chasing cyber tools: Overlooking cybersecurity talent and strategy can cost you

December 1, 2022
clock 4 MIN READ

One of the biggest cyber blunders companies make is overinvesting in cyber tools and underinvesting in strategy and talent. How can organizations know what security controls they need without an overall cybersecurity program and game plan?

Buying tools can provide business leaders with the illusion of securing their digital terrain but, in reality, this approach may be nothing more than an overpriced “security blanket.”

If I may share a story to illustrate this point: my father-in-law and I recently built a shelf from a single sheet of plywood. I know absolutely nothing about woodworking, but under his tutelage, we used the right power tools (and his skill set) to create a functional shelf. Sure, I could have bought the same tools and materials to attempt to build it myself, but the end result would have been a disaster. His skilled leadership and processes enabled proper tool usage to achieve the desired vision.

In applying this lesson to the cybersecurity landscape, organizations chase tools for a variety of reasons, but sometimes without a skilled “father-in-law” or strategy driving the security program. It is important for organizations to have smart technology leadership informing tool acquisition from the top-down, rather than allowing vendors to dictate their strategy from the outside-in. Investing in an overall technology and cyber strategy that aligns with the business is a key component of a holistic approach to rational cybersecurity.

The allure of cyber tools as an "easy fix"

Several systemic issues can contribute to an organization’s scattershot approach to tools instead of an overall strategy. Cyber threats can spark fear, uncertainty and doubt (“FUD”) in an organization’s technology or leadership teams. A vendor might leverage FUD by pushing a “next-gen-blockchain-zero-trust-artificial-intelligence” widget that can solve all the things. In this scenario, there is a natural instinct to buy the tool rather than sensibly considering how the tool fits into the organization’s overall defensive posture. FUD can be an effective motivator but not a thoughtful one.

Another factor is regulatory compliance. Penalties for non-compliance can be steep, which can make buying “check-the-box” tools attractive. However, many organizations are learning (the hard way) that a hodgepodge of misconfigured cyber tools may have met regulatory compliance but did not prevent a breach.

A holistic top-down approach to rational technology investments

We’ve highlighted some justifications that naturally lead organizations to chase cyber tools. But, how can organizations actually start building a more strategic and holistic approach to cybersecurity?

First, evaluate if you have the right leadership in place. Is it even clear who is in charge of cybersecurity? Someone smart needs to be at the helm with the budget and human capital and given the authority to secure the organization. This includes a seat in the boardroom (or at least direct buy-in from the C-suite). Cyber leadership can no longer be relegated to the server room.

Then, technologists can start addressing the cyber security strategy by reviewing the following questions:

  • Learn  What does my business do and what technologies support these business functions?
  • Consider  What risks do these technology assets introduce to our business?
  • Review – What security controls have we already invested in?
  • Baseline – What security framework can we leverage to holistically understand our handling of cyber risk? How can we use this framework to identify where our existing controls are effective to help identify gaps in our coverage and inform where we need to invest?
  • Discipline – As the business, threats and controls evolve, so too must the cybersecurity strategy. What processes should we put in place to regularly review program maturity against the security framework?

Lastly, business leaders are increasingly understanding that cybersecurity is not a problem that can ever be truly “solved.” Rather, it is an ongoing risk that needs to be managed just like any other business risk.

An organization empowered by strategy can confidently seek the cyber tools that adequately address the applicable risks. Once an organization’s technology leadership understands what they need to protect, they can start buying the right tools for their tool chest. This flips the power dynamic, where vendors aren’t pushing an agenda, but the other way around.

Armed with a strong cybersecurity strategy, business leadership can be in the driver’s seat on where to invest in security, taking back their power in order to truly understand how best to protect their organization.

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.