Why oh why is cybersecurity so complex? I was at an event recently and the keynote speaker talked about how security is unique in its incredibly minimal consolidation. In the cloud, you have arguably three major players (Amazon, Microsoft, and Google). In mobile phones a few. In almost any area of life, consolidation happens (auto’s maybe 10, TV’s 3-4, etc). Yet, in information security, no one company has greater than 5% of the market. The equivalent of cyber security is everyone still has to build their own computer with motherboards, memory chips, cables, and enclosures. There is no Dell or Apple to give us ‘a computer’ as an outcome. And, while some of us used to enjoy building computers…the vast majority of folks really just wanted to buy something that worked. When it appeared the old family machine was slowing down, and Dells were available, my dad thought it was humorous that I went to a local supplier and proceeded to buy all the parts necessary to build my own computer. Ahh…the good ol’ days.
And, while I love a good philosophical discussion about why security is in this disparate state, the goal of this article is to talk about how we can potentially help solve some of this complexity. You, the reader, can let me know at the end if I’ve made some compelling points.
So, what’s the problem? Well, this proliferation of tech and capabilities doesn’t seem to be solving the ‘core’ problem. Which is to keep the key digital assets of companies safe and secure. Here we are in 2022 and, despite the industry’s best efforts and a raft of literally thousands of technologies available, businesses of all sizes get breached. Plus, we are coming off one of the worst years ever, as can be seen in the payout of cyber insurance claims. Rejigging the words of a movie I loved as a kid, “You keep using this word ‘security’…I do not think it means what you think it means.” Something is definitely not working.
What’s broken in cybersecurity?
Let’s leave the Fortune 500 and similarly sized companies out of the equation for a bit. For this convo, let’s talk about the smaller organizations. Whether they’re a fledgling start-up or have been in the market for years, building true cyber resilience is hard. Blah, I hate buzzwords but I don’t know a better way to say it. So…Cyber Resilience…what does that mean? Well, in short, the ability to technically protect your organization, AND if something horrible happens to not go out of business by having business protections in place (e.g. insurance). The problem, and it’s been the case for decades, is that security vendors and service providers have been too preoccupied with selling as much technology and as many licenses as they can, without really looking at the sum of the parts. After all, if vendors don’t have all the parts…then just sell as many of their widgets as possible.
This leaves smaller to mid-sized enterprises (SMEs) with multiple burdens because they are still held to account when it comes to securing their customer data, their valuable IP, and adhering to compliance requirements. In other words, they can’t afford to run afoul of the latest zero-day vulnerability or ransomware campaign. Yet, most don’t have the resources or in-depth security expertise to button up all these defenses as well as say, an aforementioned Fortune 500 company.
What’s an SME to do? Well, the last thing they need is more technology thrown at them. Or how about some intelligence feeds that they can’t manage or act upon, or the latest SOAR solution to automate responses? All of these tools and technologies have a place, but only at the right time and if properly working together.
Wrong fit, wrong model
SMEs that choose to outsource the management of their cybersecurity needs may reach out to their existing MSP to see if they have the capabilities or they might go with an MSSP. They’ve typically done a majority of the research and evaluation work before they engage with an MSSP, and this will take many months of effort (think multiple demos followed by extensive POCs) and negotiation (pricing and legal work).
At this point, they may not even fully understand how all the different pieces of technology will work together and if consolidated, whether they’ve chosen the right combination to provide end-to-end protection. They will then hand over their Frankenstein-like environment to an MSSP and hope for the best.
So now, after all their hard work, they have a firewall, some AV, and perhaps an MSSP to ‘watch things.’ However, things change. New (and potentially better) technologies emerge; remote working becomes prominent (how’s that firewall working now…?); companies grow; compliance requirements become more stringent; customer expectations get higher; and, all the while, cyber-attacks get worse. That’s not fearmongering, those are just the facts. We already know that cyber criminals and nation-state attackers are not going to change their ever-evolving capabilities to make life easier for target companies.
The fluid nature of business and the dynamic world in which we live means that trying to secure an organization will undoubtedly become more and more complicated. However, instead of trying to counter this with additional technology and false promises, I think it’s time we start talking more about outcomes and less about tech. I know it sounds crazy…but wouldn’t it be nice to know that you had great security resilience no matter what was happening in the world? We think it would.
A whole new world for cybersecurity
At the risk of mixing my metaphors, let’s talk streaming video for a moment (I promise it will all come together in the end!!!) For the Disney fans out there, I’m sure if you were given three wishes, amazing cybersecurity probably wouldn’t be one of them. For those scratching their heads, watch Disney’s Aladdin. However, if you wanted to watch Aladdin, you’d need to be a Disney+ subscriber (ok, unless you still own a Blu-Ray DVD player). We all appreciate the convenience and ease of streaming entertainment, but rarely are we subscribed to only one platform. Want to watch Ted Lasso? Well, that’s on Apple (hilarious and uplifting). How about the Sandman Series? Well, that’s on Netflix.
According to the Deloitte Digital Media Trends Study, US households have an average of four streaming service subscriptions. It’s annoying, but it’s still far more convenient than the days when we had to make a trip to Blockbuster to rent videos (Millennials, that was actually a thing. And then sometimes they didn’t have the new movie you wanted so you would wander for an hour in the aisles trying to find something else. Similar to scrolling across the TV…but much more walking and much less sitting and thumbing). We have Netflix to thank for its ingenuity in bringing streaming entertainment to our fingertips.
What’s all this have to do with cybersecurity? Everything when it comes to simplicity, ease of access, and getting a predictable outcome.
Netflix didn’t start by making content. Rather, they excelled at creating the outcome of giving you great content in an amazing experience. That being 1) Financially: pay per month? Brilliant! 2) On demand: the service is always available? More brilliant!! 3) Great content: I don’t have to buy or rent movies; I can just stream them when I want? Even more brilliant!!!
Netflix revolutionized the entertainment industry. But what did they do that was so ingenious? Well, at the time they didn’t create new content, but they built all the infrastructure to deliver an outcome.
Our view is that security is desperately in need of this revolution. In most cases, the tech, like the amazing content Netflix put together, is already available to solve most SMEs’ security challenges. What hasn’t been done is putting it together in a comprehensive solution that provides an easy-to-consume product that gives the outcome of world-class security.
At SolCyber our goal is to be like your favorite streaming service combining all your favorite channels into one platform via a monthly subscription.
SolCyber makes light work of complex problems
And now we bring it full circle. Of course, cyber security is complex. The difference is, that we believe SMEs shouldn’t have to do any of the heavy lifting or be the ones to problem solve the best way to secure themselves from all the threats posed today…plus all those that will be devised tomorrow.
Wouldn’t it be nice if the entire business engagement, from negotiation to onboarding to ongoing monitoring, detection and response, were pain-free? I mean, it’s never going to be like a trip to the day spa, but heck, maybe close enough.
We bring all the market-leading technology, processes, services, and support to you. All an SME needs to do is work out how many staff you have (ask HR), sign up with us, and you’ll be up and running in days.
We call it a streaming service for security (Legal said I couldn’t call it “Netflix of security” even though I really wanted to ) We’re the only provider of modern managed security services that works in partnership with your IT team (or your outsourced MSP). That means however your business or technology evolves, SolCyber will grow with you. If the threats change, we change. We call it “Foundational Coverage” and it never remains static, but the monthly price per user does. So, you’ll constantly be getting more value, which sounds absurd, but that is the goal.
Oh…and one more thing…
We weren’t content with just solving a very broken and outdated cybersecurity outsourcing model because, what would be the fun in that? Another pressing issue we were hearing from the market was that cyber insurance is a struggle for many businesses. Not only is the application process to get approved for a policy hard (Like…crazy hard, 8 weeks and multiple documents hard.), but the cost of premiums have been skyrocketing, making cyber insurance prohibitive for many. Cyber insurance is an essential part of business risk reduction and, even if SMEs see the value in it but just can’t access it or afford it, then we have a serious problem.
There has been almost zero connectivity between cyber security efforts and the ability to get cyber insurance quickly and at a reasonable price. This has made it really hard to ‘de-risk’ a company from an operational security standpoint and a financial standpoint.
We went about solving this problem by demonstrating we could:
- Deliver an “outcome” of great security through our Foundational Coverage.
- Get validation from the insurance industry that our solution would be able to demonstrate a significantly lower operational cyber risk.
- Have the cyber insurance industry agree with us and offer incentives to our customers.
Because security is a piecemeal effort involving lots of software and services, it’s hard for insurers to have confidence that all the components are working in coordination to secure an organization. Validating the ‘outcome’ is a challenge. Because the outcome of great security is difficult to validate, the procurement of cyber insurance tends to run as an independent effort, with minimal impact from the controls the security team has put in place.
We were able to demonstrate that our ‘Foundational Coverage‘ solution does provide comprehensive protection capability touching most of the areas cyber insurance organizations care about. Working with our insurance partner, Converge, we spent almost a year linking our coverage with cyber insurance to show that it significantly reduces customer risk and thus insurance exposure.
We now have the SolCyber Insurance+ Program available, supported through an A+ AM Rated Insurer, who is willing to reward our customers, not only with expedited approvals but also with discounted premiums. This is an enormous value-add to our customers, as they can get a combination of great, verifiable security AND a pain-free cyber insurance experience. Now that is ‘practical cyber-resilience’ to steal a phrase from a CISO friend.
There’s not much more to say, except that we’re working hard every day, to make the life of every SME that feels overburdened and underserved simpler, easier, and safer.
Let’s have a chat to find out how easily you can switch on security with SolCyber!