Story image

Opinion piece: Are cybersecurity investments wasted money?

18 Apr 2016

Article by Raymond Maisano, director specialist sales at VMware

No matter how much money we throw into cybersecurity, it seems to have little impact on reducing the damage of breaches and attacks. In fact, we are starting to see significantly diminishing returns when it comes to cybersecurity investment: despite security more than doubling its proportion of global IT spend in the past 3 years, the cost of security breaches has continued to grow at an exponential rate – hitting almost US$450 billion in 2015. In the words of VMware’s CEO Pat Gelsinger, “the only thing outpacing security spend today is security losses."

The reason is simple: for all the investment into cybersecurity, it remains largely an afterthought for both IT professionals and C-suite executives. Investments are executed in a knee-jerk fashion when a threat emerges or, worse still, only after it incurs major losses to the business. Even proactive measures are treated solely as point solutions for specific threats, rather than how they fit into broader IT infrastructure. And when it comes to strategic decisions around digital transformation, technologies like cloud and mobile rightly fill the agenda – but security implications typically get left to last, if at all.

Businesses need to entirely restructure security if they want their investments to protect them. They need to treat security as a layer on top of all other IT infrastructure, one that can readily adapt to growth in scale and complexity of systems. They need a software architecture that allows security innovations to be rapidly translated into policies on an enterprise-wide level.

Surprising as it may be, that architecture already exists. It’s called virtualisation.

Virtualisation and the security layer

By de-coupling physical infrastructure from apps running on it, virtualisation made possible everything from cloud computing to virtual desktop infrastructure. Its ubiquity throughout enterprise IT – governing compute, storage, network, and clouds – makes it an ideal architecture on which to “grow” security policies that provide full enterprise coverage, not just piecemeal stop-gap fixes. When a new cloud or network is added to the enterprise, security policies automatically extend to it without the issues of compatibility or downtime associated with implementing point solutions.

At the same time, virtualisation allows IT to customise security at a granular level, using micro-segmentation to link security policies to specific types of workloads and automatically provision them in each specific instance. Network virtualisation, for example, can apply security rules whenever a VM spins up and remove them if the VM gets de-provisioned, keeping security coverage both rigorous and lean with minimal reliance on manual procedures.

But perhaps virtualization’s biggest boon for IT security professionals is that it operates hand in hand with all existing security products. Rather than necessitating an enterprise-wide replacement of all security applications with a single “master” platform, the virtualisation layer instead allows IT to govern them from a single point of control. More advanced network virtualisation layers like NSX even connect these security applications to one another to share critical security information – and drive faster responses – in real time.

Investment that “raises all boats”

So how can enterprises use virtualisation to make their security spend more effective? The first step is for IT and the C-suite to acknowledge that security must come at the start, not the end, of decision-making processes. Both parties should work together to come up with a plan for how security will meet fast, complex infrastructure growth in a sustainable way – a plan which will inevitably involve virtualisation architecture.

Finally, IT should explore how best to use both new and existing virtualisation platforms to “raise all boats” with performance benefits to all existing applications in their security portfolio. Ideally, virtualisation will connect individual security applications to one another, seamlessly integrate with new innovations when introduced, and automate policies whenever new endpoints or assets come online, reducing the likelihood of vulnerabilities emerging as networks and clouds grow. As IT moves to adopt newer forms of virtualisation – like network virtualisation and even cloud virtualisation – implementation teams should begin to define security at the virtual layer rather than physical device or application levels.

Businesses literally cannot afford to be throwing money away on cybersecurity. The costs of an ineffective security policy are only growing; the risks of breaches already threaten to cripple basic operations and profitability. Virtualisation may be an unlikely candidate as a whole-of-enterprise security architecture, but its ability to span, scale, and automate complex infrastructure is by no means untested: just look at today’s enterprise networks and the cloud.

Article by Raymond Maisano, director specialist sales at VMware

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.