Security vendors are constantly bringing out new offerings aimed at protecting organisations from the ever growing threat of cyberattacks. But it’s not a numbers game and snapping up all of the latest and “greatest” security products won’t guarantee your business will be protected from cybercriminals.
Padlock on paper image from Shutterstock
Yisroel Hecht is the former chief information security officer for the City of New York and an associate commissioner of IT security at the NYC Department of IT and Telecommunications. He noted that security vendors are an opportunistic bunch. They are constantly on the lookout for companies to sell their wares to by exploiting their fear of becoming cyberattack victims, he said.
For those who do frantically buy up new security offerings, they are not doing themselves any favours. In a blog post, Hecht said adding more products in an attempt to stave off cyberattacks is counterproductive:
Corporate executives are in a panic to maintain their company brand and are, thereby, compelled to invest extensively in new products to enhance their cybersecurity posture. Unfortunately, many organisations lack the expertise in understanding how to countermeasure the ever-emerging, dynamic and evolving cyberthreats, so they continue to layer their environment with additional security products. This approach creates more complexity in securing their digital assets and, consequently, renders new opportunities for adversaries to compromise their business.
The security market is flooded with new products that are point solutions which require customers to integrate them into their existing IT infrastructure. This increases overhead and complexity and can significantly diminish the effectiveness of the products, he said.
Before procuring new security solutions, IT executives should have a clear understanding of the gaps in their organisation’s information security capabilities, according to Hecht. They need to remember that security is achieved through a blend of people, processes and technology.
“Organisations need to tackle this cyber challenge holistically within their establishments through a bottom-up approach with executive leadership support,” Hecht said.
[Via Palo Alto Networks blog]
Comments
3 responses to “Buying More Security Products Won’t Keep Your IT Safe”
User training is still the best proactive security measure imo.
FYI the last few paragraphs are appearing as a hyperlink.
Thanks for flagging! Fixed now 🙂
Agreed. User ignorance (or stupidity, perhaps) cannot be fixed by buying software packages but by educating the users.
Additionally, having all of these security products can create complacency which will be promptly exploited.
On top of complacency, some of the security products even come with their own vulnerabilities.
http://www.lifehacker.com.au/2016/01/trend-micro-patches-anti-virus-product-after-being-blasted-by-google-researcher/
Mr. Hecht is spot on – people and process make products work for, not against, their buyers. Without those pivotal pieces in place, the more products, the greater the potential attack surface, as each runs software with its own set of vulnerabilities.