You are currently viewing Why focusing on technology spending at the expense of cyber human resources is risky [Q&A]

Why focusing on technology spending at the expense of cyber human resources is risky [Q&A]

As we enter 2023, factors such as an uncertain economy, inflation, recession fears, hiring freezes and layoffs, and supply chain issues continue to weigh on businesses, affecting not only day-to-day operations, but also budgets for the new year. .

On cybersecurity spending, in particular, Curtis Fechner, threat engineer at Optiv, says many executives expect their budgets to stay flat in 2023, which is a best-case scenario. as the risk of cuts in an uncertain economy and business landscape grows.

We sat down with Curtis to get his thoughts on how he thinks flat or shrinking cybersecurity budgets will affect businesses in 2023.

BN: How do you think companies will manage stable or reduced cybersecurity budgets?

CF: Successful cybersecurity programs require equal investment in three areas: people, process and technology. However, if there isn’t a lot of money to spend, I suspect many organizations will upset the balance by pumping money into new technologies. We’ve already seen that start to happen this year, with organizations including information security professionals in large-scale staff reductions, and it will continue into the new year.

With so much hype surrounding automation, many leaders have convinced themselves that technology can replace humans, but the reality is that we are far from achieving the desired outcome. Good tools can certainly help reduce risk, but I also believe that these tools are only as effective as the people who will use them. Thus, companies that focus on technology spending at the expense of their cyber human resources will likely find themselves more exposed to a major cyber incident or breach in 2023.

BN: Can you explain how cybersecurity staff reductions can increase security risk?

CF: Security teams working in security operations centers (SOCs) have struggled with alert fatigue for a long time, and this problem isn’t going away anytime soon. Hundreds of alerts pour in from disparate security tools implemented in a company’s IT environment, and security analysts are tasked with manually investigating each one, identifying legitimate threats, and then react quickly to mitigate risk or limit damage. It is a process that takes a lot of time and effort. Reducing the number of security analysts on staff leaves the remaining staff to take over in an already overstretched SOC. They will certainly do what they can, but there are only so many hours in the day. When security professionals are overworked and overwhelmed, the risk of legitimate threats slipping through the cracks or not being identified in a timely manner is higher, leading to an overall increase in serious incidents.

BN: Do you foresee other risks as well?

CF: I think there will be a broad spectrum of de-emphasis on humans, largely to the detriment of many organizations. We will see this not only through downsizing, but also in terms of career development, for example by investing in employee training.

Employees who are still employed will face training budget cuts, depriving them of the education and hands-on training they need to effectively protect their organization. For example, without training, security teams lack practical real-world incident response (IR) experience and knowledge, leaving them woefully unprepared in the wake of a breach or breach. another cyber threat. Companies can put in enough money for just one annual IR tabletop exercise each year, but that cadence is nowhere near enough to allow IR participants to build up the good “muscle memory” needed to fulfill their role in the process.

Thus, companies then have a double problem: they lack personnel on the security front and the people they employ do not have the tools necessary to adequately secure the company.

BN: Any advice for companies entering 2023?

CF: Don’t overlook the human element in cybersecurity.

Highly motivated attackers can have a huge impact on their targets in a very short time. Their goal is to work faster than the SOC can respond, and we’re not helping the SOC teams by diminishing their resources and removing their training.

Some companies believe that technology allows them to work faster than attackers by automating security checks. But, if the automation is trained against historical attack techniques or indicators – and if we look at many products leveraging this historical data to train their machine learning models – we may be unprepared. to emerging threats by exploiting new tactics and techniques. And, if detection is imperfect, the automated technology will fail to contain the threat or result in false positives that disrupt business. The irony is that security professionals who are fired at the expense of these technologies may actually find anomalies that technical controls miss. Therefore, without the human element in the process, security risks increase and organizations become more vulnerable.

The threat landscape is becoming increasingly sophisticated, and attackers are increasingly adept at exploiting new vulnerabilities and identifying new security control holes. As 2023 approaches, companies should continue to invest in their people, give them the training they need to succeed, and ensure that their technology solutions complement – ​​rather than replace – humans. When companies are able to maintain the right balance between people, process, and technology, they can put in place strong cybersecurity and cyber-resilience postures that will help them identify, respond to, and resist any type of attack. .

image credit: BiancoBlue/

Leave a Reply