The Acora Press Team

The Acora Press Team | 15 August 2024

Right-sized cyber security:
a buyers guide…

Banish the ‘product-centric’ mindset.

Instead choose a right-sized, risk-management approach to cyber security.

All too often, we see CISOs taking a ‘product-centric’ approach to cyber security. By that we mean identifying a need, then simply buying the most expensive, best-in-class solution – often precisely because it’s the latest-and-greatest. In our industry, it’s easy to be seduced by buzzwords and the pronouncements of analysts, consultants and commentators. The more expensive and powerful something is, the logic goes, the better it must be.

Except that’s not true. There is no one solution that suits everyone. In our experience, this often leads to businesses making costly, short-term decisions that actually weaken their security posture. The problem is that no security solution, however big and expensive, is a panacea. Holes can appear anywhere at any time, and the more extensive, complex and distributed your IT environment, the more likely that becomes. It’s also a zero-sum game: the more you spend on one product or problem, the less you have for others that subsequently emerge.

In a bid to win this losing battle, the product-centric CISO keeps asking for more money and people. But for the reasons we’ve just outlined, the organisation’s security position doesn’t improve. So they ask for even more resources, to no lasting effect, and so the cycle continues until the rest of the Board pulls the plug, or the CISO moves on.

The product-centric mindset has other downsides, too. It reduces cyber security to little more than a tick-box exercise: buy a gold-standard solution off the shelf, job done. Is this really how we should be approaching something so fundamental and business-critical?

Far more importantly, you risk ending up with a solution that simply isn’t right for your business. You could be paying way over the odds for a fully managed security operations centre (SOC) service that’s massively more complex and powerful than you need. Equally, you might have a managed detection and response (MDR) service that’s relatively low-cost but doesn’t offer enough protection, leaving you open and vulnerable to threats, attacks and compliance issues. Either way, you won’t be getting a good return on your investment. It’s not a prescription for a safe, secure, sustainable business – or a position any self-respecting CISO wants to try defending for long.

We also see too many organisations relying solely on their security solution’s out-of-the-box capabilities. These cover typical use cases and the most likely scenarios, but your organisation will have its own specific, individual needs and circumstances. Unless and until your solution is optimised for those, you can’t – or shouldn’t – be fully confident in it.

At Acora, we’re on a mission to change all this. We want to help our customers move away from a cyber strategy driven by product implementations to a cyber strategy grounded in business value based on evidenced, real-world scenarios and risk management. Our goal is to ensure your cyber security is aligned with your business goals, risk appetite and other factors we explore in more detail below.

We call it right-sizing. Because somewhere on the scale between MDR and a fully managed SOC, there’s a cyber security position that’s right for you. Our job is to help you find it.

Our buyers’ guide to MDR and SOC services

At Acora, we want to get away from assuming the latest, most expensive, gold-standard solution is always the best one. Under our risk management-based, right-sizing approach, we look at your enterprise security needs holistically and realistically. Rather than relying on a single gold-standard solution, we look for specific solutions – which might be silver or bronze – to address specific risks in particular areas. This allows you to target resources more effectively, reducing your overall costs and improving your overall security stance.

Before we can do that, we need to determine what level of security service will give you the protection you need, in line with your business’s size, complexity and priorities. For most organisations, it’s a choice between a Managed Detection and Response (MDR) and a full-blown Security Operations Centre (SOC) service.

In our experience, MDR is likely to be the better option if your business is: 

  • Unregulated and has a simple environment
  • Challenged with limited in-house security resources and expertise
  • Looking for a cost-effective solution that doesn’t require major capital outlay
  • Happy with a solution that can be implemented quickly and managed using out-of-the-box features and capabilities
  • Wanting to detect, analyse, investigate and respond to threats quickly
  • Focused on core activities, and keen to avoid diverting time and resources to complex security operations

A comprehensive SOC will include managed Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tooling. This is obviously a more complex (and therefore expensive) option, but could be what you need if your business is:

  • complex IT environment and many assets to protect
  • Able to invest in and manage a more costly and complex solution
  • Looking for a highly customised solution that can integrate with existing systems and technologies
  • Operating in a highly regulated sector or industry where detailed logging, monitoring and reporting capabilities are required for compliance purposes

The human dimension

Any security technology can help reduce risk and close up holes in your visibility, detection and response stack. Our point is, the latest all-singing and all-dancing technology might not be the right solution for your organisation. A solution may indeed be wonderful, but if it doesn’t meet your needs, it will simply add to your operational management burden to no real effect; and at worst, it might be a waste of money that actually weakens your security stance.

Not all CISOs or IT functions have the necessary expertise to do this kind of detailed technical analysis. Furthermore, security specialists who want to sell you the latest and greatest technology may not know, understand or even particularly care about your business’s specific nature and priorities.

For example, a major manufacturing company can lose millions if a cyber-attack shuts down the plant for even an hour. Clearly, that’s where it should invest in the best security it can afford. Data loss, on the other hand, is something it can probably recover from relatively quickly and easily, so gold-standard protection isn’t required. On the opposite side, a confidential data breach means serious, possibly terminal reputational damage for a law firm or other regulated business. For them, best-in-class data protection is absolutely essential; everywhere else, ‘good enough’ is probably going to be good enough.

We use a matrix to help you assess the impact of a potential cyber-attack, from ‘insignificant’ through ‘we’d survive’ to ‘this would kill our business’. This then determines both the kind of security system you need, whether that’s an MDR or managed SOC, and where to target your spending within that spectrum.

That overlay of human expertise, insight and experience is what makes our right-sized, risk management-based approach so technically effective and commercially powerful. We want to see the back of the ‘product-centric’ alternative. We hope that now, you do, too.

To find out more, please contact us and one of our Cyber experts will be in touch with you shortly to discuss.