Cybersecurity Portfolio Optimization

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. In each edition of this Analyst Chat, I have one guest joining me, a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. My guest today is Christopher Schutze. He is director of practice cybersecurity. Hi Christopher. Hi Matthias. And thank you for the invitation for the Analyst Chat today. You're welcome. And it's great to see you for the first time in this Analyst Chat.

This is a first time for us as well. We want to talk about cyber security portfolio optimization, cyber security, and the current times is really a challenging issue. I think you, as the director of practice, cyber security here at KuppingerCole, you are of course working on a daily basis with this topic. And what do you think are five most important things to consider when we are talking about real life cybersecurity, not the theoretical, not the Analyst point of view real life.

Well, the bad news when I go to a customer and we do advisory is really, you are a target. And the mainly the bad news, everybody will become the victim of a cyber attack, or might become the victim of cyber tech. No matter how much you invest the threat that you will become, the victim is really high, but you have to investigate what you have to protect and what to do first and maybe what to do later. And this is really the important thing. And the thing this Analyst Chat today is about. Usually you can easily say there is no 100% security.

You cannot achieve 100% because others are investing a lot. So the cybercriminals are investing really a lot to attack a specific companies. It is a real industry in the background who tries to steal data, to steal information, to, to hide check or to ransom and organization to get money. This is the goal. This is a industry, and this is something you need to be aware.

And you, this is the way you need to invest into cybersecurity. 100% is not achievable, but you can protect yourself as much possible and necessary. And from our point of view, you have to plan really for the birth thing. A year preparation is key incident response management is very essential in this topic and not only about cyber attacks or data breaches or things like that, just think about the current pandemic crisis. Many companies have to work from home the first time, or a lot of employees have to work from home the first time in parallel.

And this is a very big problem for accessing data for accessing networks, for accessing application, which are running within the organization. And this is mainly because I would say a very important thing for, for looking into investment priorities or things like that is invest in things like zero trust. Don't rely on a single VPN gateways or proxies where everybody has to access at the same point in time. And really think about how and criminal, what he would do.

Just think about an article abroad at the beginning of the year, about the biggest threats, which might happen to you and attacking the people. So you as an employee or as a manager with social engineering is maybe one of the biggest threats. Technically attackers do not try to attack you on a network level anymore. They try to attack you on an social network on LinkedIn to get information about you and use those informations to get access, or to force you to click on an malicious email attachment or things like that.

And this is mainly how you should invest into cybersecurity for the next month or even years. So this should be the focus. So we should think of cybersecurity as a combination of different types of tools, of different types of, of technologies that in combination, really make sure that you get close to this 100% security while you know that you cannot achieve it. So it's really, as we talk about that here, it's a portfolio that we have to consider.

So it's a set of measures, a set of technologies that we should really set into context to each other, to understand where we have to invest, maybe where we invest too much and maybe where we should invest in. We don't. Would you agree on that?

Yeah, absolutely. At the end, it's thinking about what does an application or service offer for me? Does it mighty gate, my risks or not? And what is the price of it? And it's the price higher than the risk or threat, which happens to my organization or to me as a single employee. And this is the thing you need to do, take really the applications you have and rate them. Usually you start really with a assessment here.

This is, should be the first step. Think about your general risks and rate them and define controls, mighty gating measures and things like that. But here in, in this Analyst Chat, we are really talking a little bit more about existing tools and maybe you will identify some gaps if you do it that way. If you look At that from a, from, from the efficiency also for our attendees, for those watching this, this podcast, maybe we can give some hints and give some homework for them afterwards. So what would be dimensions?

What would be the, the things to consider when actually applying such an such an analysis, as you said, such a rating, how do you, how do you actually measure the things that you are currently having in place? What are the dimensions that we usually apply or you typically apply?

Well, it really depends on your organizations, but we, as KuppingerCole have some basic things here, some basic dimensions, usually we use seven. And the first one I already mentioned is really the cost. So the expenses you have when using a tool or a service, so also called the total cost of ownership. So also depending on operations and licensees and maintenance and things like this, this is an important thing. And on the other hand, you need to know the level of risk mitigation here. So that's this tool you have really helped you to mitigate the risk or not.

On which level is it only a one or a 10 or something like that. So you also need, besides the dementia, some kind of rating. Usually we have a one to nine, so the ability to have 10 different numbers to rate something, and this is what we use for, and also the feasibility for your organization is really important. And for sure, the time to production, just think about you, you have a perfect tool, it would mitigate all of your risks, but it needs 10 years to, until it's available for you as an service or application within your organization.

And then it is not valuable for you because in 10 years, we will have, at least in five years, we will have other things then for sure it is important that it covers a hybrid topics. Today, we do not have only an on premise application. We have some mixture of cloud applications, cloud, native applications, as well as on premise applications. And the tools should cover that. And this is, as I said, at the beginning, in the direction of zero trust, and then for sure, the maturity. So how good is the tool, the technology, does it cover topics?

Like, I don't want to say it as an password, but like real artificial intelligence, which really helps you to support, to make decisions. For instance, if you have some automating tools to reject authentication requests or things like that, not only based on policy levels, or maybe you read them machine learning and artificial intelligent, and last but not least, we also use the dimension vendor. So is it a good vendor? Is it an a well-known vendor? Is he stable enough or is the, is it potential that he will be acquired by another company was in a few months or years?

So these are typically things we use to rate technology you have within your organizations. And this helps you really a lot to visualize whether an application or technology service helps you and on which level yeah, I hope this answers your questions to the dementia. Absolutely. Absolutely. Thank you. And I think it's really important then if our listeners actually do this homework that it's in the end, it's, it's work it's homework so that they really have to understand what is in their cybersecurity environment.

What is already available, how to pick the right dimensions of out of the ones that you've mentioned before, and to really take their individual solution, the firewalls, the antivirus, the endpoint protection in general, encryption, multifactor authentication, privileged access management that they really take these aspects and how this is covered within their own cybersecurity portfolio. And to rate it in a way that they really understand where are gaps, where are there no gaps? Where are they actually quite doing well?

And where are potential for optimization, whereas potential for really consolidating, maybe different solutions of different vendors into one. And to make sure that, that this all still works together, maybe even increases the functionality and maybe even allows for some cost savings, although this is often very difficult. Yeah. I think that is an important starting point. So really define your own dimensions, really rate your technologies.

And if you think there are some technology, some areas of protection missing at them as well, so that you can really justify an investment afterwards, make decisions, what can be removed, what can be combined, what needs to be added and make sure that you really get a full picture when you are rating your cyber security investment. And then you can take the next step.

Yeah, you're absolutely right Mathias. And this is the perfect base. So having an assessment on rating or an deep understanding of your technology and how they might get your risk, the next and last step here is having some kind of portfolio management and portfolio management is usually only focused on two dimensions on the mighty gating risks. So the impact or the level it might get so risks and the total cost of ownership. And this helps you a lot a tool which mitigate your risk only with 5% and has a TCO of, I don't know, 1 billion as an example, is not very valuable for you.

Better are those tools within your portfolio, which mitigates risks on a higher level, something between five to 10 and the costs are somewhere in the middle that is very important in the center. And as I mentioned before, you need to ensure that the cost of having a tool. So really the TCO is not higher than the expenses you would have if you would have an data breach or impact or something else here, but it is essential here, or be careful a data breach does not only have the expenses of losing some customers.

It could at the end, also harm your whole organization and leads to leave everything and be aware of that. And this is essential. And if you take all these tools and create some two dimensions graphics with a, a risk mitigation impact and the total cost of ownership, this really helps you a lot to visualize where you can invest more, which tools are essential for you and which tools you can remove. And this is what you already mentioned. Materials. Maybe you can save some expenses, too. Exactly.

I think the two dimensions that you've mentioned, and if we really plot them to a graph, you you've mentioned total cost of ownership and the risk mitigation. I think there are other options as well. So you might want to look at, as you said, the time to market or the time to implement and the actual risk mitigation. So if you have an actual issue just right now, and you can mitigate very quickly the risk to say 60, 70% and over time at the complete solution that actually meets the risk fully so that you can say, okay, I take one solution.

One will be the short term solution because that is quickly to implement and already mitigate some risks, but then you can move towards a full implementation in the long run. And this is even something that you can very easily identify and present to management to say, okay, we have a short term solution with this level of risk mitigation and a long-term solution where we are aiming at, but this will come later and we have a good plan with a transitioning architecture.

In the meantime, I think there are many of these dimensions that you've mentioned before that can be combined to tell different stories to different stakeholders. Exactly. And especially dementia, like, like maturity or even the functional things. And product helps you. You often have bigger tools which can do the same thing, but you only lose loses user specific functionality of the tool. And maybe he is also some optimization possible and using those metadata method. Totally.

Jeez, I've mentioned here, like spider graphs or a two dimension diagram helps you a lot to visualize it and to share with your management at the end. Okay, great. I know there's a lot of material around that available at our website at KuppingerCole dot com.

Of course, if there are any questions, when you have questions doing your homework at home, just get in touch with us. I don't have to summarize this short chat because actually we, if this all added up to this recommendation to say, yeah, the summary would be just do it. It really can help. It can help you in making your cyber security more efficient, maybe more effective, more cost effective, maybe, and more complete. I think that is an important thing. So we are getting to the, through the end of this chat. Is there anything that you want to add from your side, Christopher? No.

I just can agree to you. If you have any questions, feel free to ask us, send us a mail or give us a call. I would be happy to support you.

Okay, Great. Thank you very much. Thanks to the audience for listening and for watching. And we hope to have you soon back again, in one episode of this Analyst Chat, both new Christopher as a participant and both the, and the audience for yeah. For paying attention to what we are talking. I hope this was useful that thank you for your time. Bye. Bye