Thought Leadership

Sep 14, 2023

Will today’s security purchases stop tomorrow’s deadliest threats?

A Skeptic’s Guide to New Purchases Part 2

In the first installment of this three-part series based on our recent white paper, The Skeptic’s Guide to Buying Security Tools, we outlined an evidence-based approach to helping your organization justify a new security tool purchase. This included identifying where security gaps exist, if those gaps could be filled by existing tools, and—if not—how to evaluate potential tools that could help. In today’s post, we’ll consider another side of the investment equation: how to future-proof your investment by determining what forward-looking business and security initiatives a new tool may be able to support or streamline. 

What future business-level activities can the tool support? 

Both risk and change are a given. They are also—to some degree—beyond your control. So, we can start with the known: your organization’s own plans for growth and market differentiation. Strategic considerations might include:

  • Where do you stand in terms of securing current or planned digitalization and remote work?
  • Are you migrating vital business workflows to the cloud? 
  • Is senior leadership exploring potential merger and acquisition (M&A) activities?
  • Are new mandates for data privacy taking effect in your industry?

At first glance, the last two bullets might feel too far “upstream” from security tool discussions, but that’s not necessarily so. One well-publicized data breach can put the kibosh on a merger or acquisition. The wrong decision can cost leaders their jobs or put critical infrastructure, public safety, and even life itself at risk, all of which will attract attention the board would rather avoid.

Even if security teams aren’t fully privy to all future business plans, you can gauge whether investments in new tools, services, or platforms may equip you to pivot and become more agile and proactive, something every company wants and will eventually need to do. 

Will the tool help streamline compliance?

Four considerations drive most, if not all, of today’s investments in cybersecurity:

  • Bad things happened (and people heard about it)
  • A business deal or alliance hinges on demonstrating security controls
  • Skills shortages continue to cause challenges on a global scale
  • Regulators or cyber liability insurance carriers require proof of proper security hygiene 

The last bullet might evoke the strongest sense of dread—and urgency—since breaching compliance carries potential fines.

46%

of respondents said the primary challenge driving security teams is the increasing complexity/effort to comply with regulations.

(Source: S&P Global)

In addition to industry and government requirements for protecting data privacy, many businesses and sectors are also under pressure to adopt or follow security frameworks and modern best practices. These include:

Frameworks like these are important to help ensure all aspects of a security program are being considered. But they’re just a start and won’t provide the prescriptive guidance a business needs to understand which security controls and procedures will work best for their unique case. That’s why many new rules and guidelines specifically prescribe continuous monitoring for threat exposure and validation of your current security controls. For risk and security management leaders, the question isn’t just “What happens next?” but rather “How can we prove we’ll be ready for what happens next?”

This is where automated, continuous security validation offered by breach and attack simulation (BAS) tools like the SafeBreach platform come into play. SafeBreach enables users to execute targeted attack scenarios across a wide variety of tools and controls to optimize their specific set of configurations, pinpoint inefficiencies in their stack, and prove adherence to regulatory or compliance requirements.

That said, even with careful planning and execution, achieving compliance doesn’t automatically mean you’ll be able to stop threats. You must continue to test to ensure prospective tools streamline rather than complicate your ability to meet regulators’ requirements—and create audit trails to prove it.

Can the tool help identify risk within our third-party ecosystem?

The 2022 Verizon Data Breach Investigation Report (DBIR) showed that supply chain attacks and failures were responsible for 62% of known system breaches. That’s a lot of risk now taking shape beyond your team’s line of sight. That trend stands to get worse as it becomes easier and less expensive for threat actors to automate attacks using bots and cloud accounts.

Risk and security management leaders must require prospective partners, platforms, and M&A targets to prove they won’t expose your environment to avoidable cyber risk. At the same time, the need for assurance goes both ways, and more customers, partners, and providers may begin to ask you to validate your own good cyber-standing.

62%

of known system breaches involved supply chain attacks and failures

(Verizon)

 

In both cases, efforts to qualify or quantify third-party risk might involve a mix of security ratings, Google searches, checking the Dark Web for compromised credentials, and automated or hands-on testing. Along with BAS, other validation tools for obtaining an outside-in view of internal and external risk might include penetration (pen) testing, red/purple team exercises, external attack surface management (EASM), and vulnerability scanning. As the only continuous approach able to simulate attacks, BAS can inform these other efforts to produce highly actionable results.


Interested in a deep-dive on the pros and cons of each of these technologies? Check out our Six Methods to Test Your Organization’s Resilience to Cyberattacks white paper.


Will we be safer tomorrow than we are today?

Stay tuned for the next installment in this three-part blog series to see how skeptical buyers can answer the question of “Will we be safer tomorrow than we are today?” by proving the value of a tool once it’s purchased and implemented. To learn more about the skeptical buyer’s approach today, download the complete Skeptic’s Guide to Buying Security Tools white paper.

Interested in putting your skeptical buyer skills to the test to see if BAS might be the right tool for you? Check out our Four Pillars of BAS white paper or schedule a demo with a SafeBreach cybersecurity expert. 

Get the latest
research and news