Security

Why You Should Conduct Risk Assessments Before Buying New Cybersecurity Products

Don’t spend big money on that next cybersecurity product until you’ve checked these boxes first.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

The worldwide market for cybersecurity products and services will surpass $95 billion this year, according to Gartner. That’s a staggering amount of money, and it represents an 8 percent increase in the size of the market since the beginning of 2017.

Is all of that spending really necessary? Much of it is, of course. But in my experience, many organizations purchase new security solutions without first conducting a thorough risk assessment and gap analysis to identify and prioritize their security needs. Some never evaluate their ability to meet emerging threats with existing resources.

Following such an assessment, an organization may conclude that new controls are required, but they may also discover that upgrades and configuration changes to existing controls are also needed — or, perhaps, are all that’s needed — to provide a solid, layered defense.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

Ensure You Truly Assess the Risks

A good risk assessment rigorously evaluates an organization’s current cybersecurity environment. It begins by identifying potential threats to the organization and rating each threat based on its likelihood of occurrence as well as the potential impact if it occurs.

Risk assessments are specific to an individual organization and its operating environment. For example, a major news media outlet may rate the risk of a denial of service attack against its website as high because it is an attractive target to attackers and a successful attack would cripple its operations. On the other hand, a small business selling industrial components may evaluate that same risk at a much lower level because it considers itself an unlikely target for such an attack and the loss of its website would have minimal impact on its daily business.

After flagging potential threats, the next step is to identify vulnerabilities that could cause a threat to occur, such as a web server running an unpatched operating system with known security flaws, or insufficient network bandwidth to absorb a small-scale denial of service attack. Risks occur only when there is a combination of a threat against an organization and a vulnerability that the threat could exploit. Next comes a gap analysis, which identifies deficiencies in security controls that may allow a cybersecurity incident to occur. The assessment normally recommends security controls to fill those gaps.

You Should Tailor Controls to Risks

The risk assessment can guide both scanning and remediation schedules of an organization’s entire vulnerability management program. Systems and applications with higher risk levels should be scanned more frequently, receiving priority when remediation is planned. Scan results also provide criticality ratings, which can supplement the likelihood and impact ratings found in the risk assessment and help managers make more informed decisions.

High-risk systems should receive extra scrutiny when performing system patching and hardening efforts. Rather than distributing security resources evenly across all systems, organizations should spend the majority of their time and money working on the systems that pose the greatest risk to the organization. For example, a system involved in credit card processing that is missing a security patch should receive a much higher remediation priority than a system that hosts an internal message board.

Try to Use Existing Products First

Most organizations have already made a significant investment in security products over the years and continue to pay maintenance and support fees for those products. Typically, those solutions were purchased to meet a specific need in an organization’s security program, and went through a planned implementation in which administrators carefully configured the product to meet the organization’s existing security goals.

If the analysis that led to the acquisition of that solution took place several years ago, both the organization and the product may have changed significantly during the intervening time. It is very common for an organization to be completely unaware of new capabilities rolled out by vendors after a product deploys.

When conducting a risk assessment and evaluating gaps in existing controls, look first to products already deployed on the network before considering new solutions. It’s possible that an existing product has an unused capability that might fill one or more gaps. If an upgrade is needed, it may be covered by a support contract or available as an add-on module, which would be less expensive than purchasing a new solution.

As business leaders are bombarded with messaging about new security controls, it’s important to keep the basics in mind. Any security decisions should be made based on well-reasoned assessment, and purchases should ideally fill high-priority control gaps. Before making any purchase, consider whether upgrading or reconfiguring existing controls might fill the same need.