Gartner Exec: ‘There’s No Such Thing As Perfect’ Cybersecurity

Presenting metrics and knowing the level of tolerance leadership has for a cyberattack are important parts of the conversation.

Paul Furtado, Vice President, Analyst, Midsize Enterprise Security, Gartner

“There’s no such thing as perfect protection,” said Paul Furtado, Gartner’s vice president, analyst, midsize enterprise security, during the 2024 Midsize Enterprise Summit in Tampa, Fla.

Furtado delivered a presentation on how IT leaders can negotiate cybersecurity budgets and strengthen their company’s security posture using outcome-driven metrics.

“If you want strong protection, it’s not going to be cheap, you’re going to have to pay for it. If you’re worried about the bottom line and it’s strictly a cost decision, understand that you’re going to accept more risk,” he told the attendees during his presentation.

“The reality is that we need to build a balance here between what we do from a risk perspective and that cost perspective, that’s the conundrum we have to deal with.”

Businesses are heavily investing in cybersecurity. However, Furtado said that it is possible to “overinvest in security.”

“It gets to the point where you’ve got a diminishing return. Our executives are going to be a lot more risk-tolerant than we are as practitioners. We have to find this mechanism, a way to have a discussion with them where they can make a risk acceptance decision either formally through risk registers or informally by how they choose to fund the program.”

Furtado then outlined how IT leaders can negotiate their security budgets with their executive leadership and stressed the importance of making a persuasive case for defending security budgets using metrics.

Defending Security Budgets

Furtado offered this advice to IT executives:

• Make sure that you articulate risk in the right terms.

• You can’t control how many types of “bad apples” are going to keep knocking at your door. You can control your vendors’ security. You can’t control malicious emails that may make it through your existing security tools. Look at the things you can control. For instance, how many days does it take your department to patch your systems? Knowing that provides a line of sight to the value proposition of reducing the amount of time.

• If you find that similar-size organizations in your industry are patching in 30 days when you are patching in 45, your executive leadership is likely to turn you down if you state you need $100,000 to get patching down to 30 days.

A better approach, he advised, is to ask leadership, are we willing to defend our security program by saying we’re OK with accepting the risk of being vulnerable to an attack for 15 days longer than our peers in the industry? Ask what is the tolerance level for a cyberattack?

• Building a security program means having conversations about defensibility for the business.

• Collecting the right data allows you to start building the metrics to make defensibility a part of securing conversations with executive leadership.

• Protection-level agreements establish operational target costs and defensibility to the business.

• Questions IT leaders should ask themselves when planning or enhancing their security strategies and budgets:
  • What does your security program look like? Is it defensible?
  • How can you give senior leadership or the board of directors that reassurance they are looking for?
  • How much money is the company willing to spend for the level of defense they’re going to get? That is a business discussion.
  • Are the systems up to date? How about those of your partners and vendors?
  • How about fault tolerance?
  • Is there access control?
  • Are employees trained and do they behave safely?
  • What sort of visibility do you have across the environment? Can you see all endpoints? Can you see what we have up in the cloud? Do we know where our data is going?
  • How well protected are you against data breaches/data exfiltration?
  • Do you have privilege access management (a lot of data exfiltration happens because of escalated privileges).

In closing, Furtado offered some additional advice:

Start looking at containment time and remediation time. The single biggest thing you can do from a security perspective is detect and contain.

Stop talking about shadow IT because shadow IT doesn't exist anymore, it’s just the way business happens now.

A successful ransomware attack is the failure of multiple things in your security stack.

Look at how you present your metrics and have a business continuity plan, part of this plan is knowing the business impact analysis.

Furtado advised making security a business conversation.

“Defend your [security] budget ... create defensibility with your key stakeholders regardless of who they are. [Stakeholders] need to be aligned with the outcomes and the benefits of treating security as a business decision because if you go in talking SIEM and EDR and all the alphabet acronyms it’s not going to resonate [with leadership]," he said.