There’s a fundamental truth in the cybersecurity industry that nobody wants to face. Despite cybersecurity budgets and spending ballooning by the year, outcomes aren’t improving. In fact, they’re getting worse. In 2011, the cybersecurity market was valued at around $60 billion in annual spending. By the end of 2021, it’s expected to reach $150.4 billion. That’s a Compound Annual Growth Rate (CAGR) of 9.63% over a decade, and there’s no sign of spending slowing down. From 2020 to 2027/28, analysts expect the CAGR of global cybersecurity spending to continue at a rate of 9.4%, 10.9%, or 12.5%, depending on which source you trust.
All of which begs the question: Why are Breaches (Still) So Common?
With all that spending, you’d expect the rate of security incidents and data breaches to fall—but they haven’t. The number of recorded breaches is rising year by year. The number of breached records hit a new high during Q1 2021, and nobody expects them to fall in the coming years. When it comes to our ability to identify and contain breaches, there’s more bad news.
Between 2015 - 2019, the Mean Time To Identify (MTTI) security breaches remained static at 206 days, while the Mean Time To Contain (MTTC) rose from 69 days to 73 days. That makes the average time needed to identify and contain a security breach an incredible 279 days.
#1: The Definition of Insanity
Everybody has heard the quote: "Insanity is doing the same thing over and over again and expecting different results." (By the way, did you know it wasn’t Einstein who first said this?)
Nonetheless, this is exactly what the cybersecurity industry has been doing for the past several decades. Collectively, we have tried to spend our way out of a problem and ignored the fact that it isn’t working. Why? Because despite a huge rise in cybersecurity spending, threat actors are getting better, faster than we are.
From this, we can deduce two lessons:
- Today’s approach to cybersecurity isn’t working.
- Organizations can’t spend their way out of the problem.
And, perhaps the situation is even worse. Increasing cybersecurity budgets and spending creates a false sense of security that comes crashing down when an organization is inevitably breached.
You’ve probably heard the oft-repeated phrase, “it’s not if but when your organization is breached.” While it may seem self-serving for cybersecurity vendors to repeat this over and over, it’s a truism—and the data above makes it abundantly clear.
#2: The "Fog of More"
No organization can do everything when it comes to cybersecurity. The available systems, controls, and processes are simply too expansive (and expensive). This leaves organizations trying to figure out which controls to implement with their limited human and budget resources.
This is where we run into a serious problem that most organizations haven’t yet solved. Tony Sager, SVP and Chief Evangelist at The Center for Internet Security (CIS), explains:
“Defenders lose because they are overwhelmed. There’s too much advice and too many consultants, tools, compliance requirements, and marketing messages to process. They don’t know where to start, and that makes them susceptible to any message or tool that claims to solve their problems.”
With so much choice, many cybersecurity leaders (and their teams) become paralyzed. They do their best to prioritize budgets and energy, but the outcomes don’t match their efforts.
#3: Security is Stuck in ‘Reactive Mode’
Perimeter defense tools like firewalls and IDS/IPS tools do an essential but incomplete job. The predominant approach to cybersecurity relies heavily on reactive monitoring and incident response, hoping to head off each threat before it does serious harm.
But as we’ve already established, this approach isn’t working. And there’s a simple reason why: if we try to categorize and block every possible bad thing that could threaten our infrastructure, we’re inherently in a reactive position. We’ll almost never be able to block new threats because we haven’t had a chance to categorize them yet.
That’s without even considering the effort and investment needed to maintain this reactive approach. All of this poses an obvious question: If spending more on reactive tools and processes doesn’t work, what’s the alternative?
System Integrity Assurance: A Huge Step Beyond FIM
To reverse the current trends, we need to reevaluate the fundamental principles of cybersecurity. System Integrity Assurance is a completely different approach to cybersecurity that focuses on the fundamentals. Instead of trying to identify and categorize all bad things, it instead identifies everything that is allowed in an environment—and blocks everything else.
Some level of management by exception is needed, of course. But fundamentally, integrity verification gives organizations complete control over what happens in their environment. This begs another question:
What happens if you know every time something is added, removed, or changed in your environment, and you stop anything that isn’t authorized… and you expand this capability across all asset classes?
- Ransomware and other malware can’t run in the environment.
- Attackers can’t traverse the network or exfiltrate data.
- Nobody can change files or configurations to make them dangerous or non-compliant.
- Users can’t accidentally run malicious attachments.
- Nobody (even privileged administrators) can alter critical system files.
This approach takes away a massive proportion of the threats that can arise in an IT environment with minimal human involvement.
To find out exactly how integrity verification addresses the major issues in cybersecurity, download our free guide: The Authoritative Guide to System Integrity Assurance.
