Does More Money Mean Better Security?


Armadillo, 26 Apr, 2019

I have a news alert set up on my desktop with the search criteria; ‘organisation’, ‘data breach’, ‘security breach’ or ‘hack’.  The good thing about this news alert is that I rarely miss the bad news of someone else being hit.  The bad news is, I am considering changing the search terms because I am being hit with, in fairness, irrelevant news items and advertorial information, but also because, frankly, companies are still getting breached, still losing data, still having to put their embarrassed hand in the air and admit “yes, me too”.

I read an article where the CEO of Wipro defended the company in their recent data breach, which was via a compromised 3rd party IT Service Management tool (allegedly I want to add); but it raised a point within the article that there was only so much security you could have, if all the dots are connected, if all the widgets are patched, if all the if’s, but’s and maybe’s don’t align, there is only so much you can do? – and that is a question and it’s supposed to be one too.  I pause for thought, is there more businesses can do, can you really throw endless trunks of money at a problem and still have a problem??

I remember debating with someone a few years back as the UK economy was coming out of recession, that the Cyber Security industry felt like it hadn’t really been affected by the recession because continued investment was perceived as constantly being needed.  I attended InfoSecurity Europe last year and felt like there was a lot of innovation coming from the vendors that we all know and work with.  An emphasis on AI, GDPR, Automation, Orchestration.  So, I find myself thinking – is the problem that innovation is killing our ability to protect, is development hurting our chances of detection or is the proverbially ‘bad guy’ really that one step ahead?  It’s the questions I ask my customers every day and the overwhelming response is that they are just trying to consolidate on the investments that they have already made and trying hard to balance that with transformation and innovating the way they all work, so the company/businesses that they work for can remain competitive in their respective industry verticals commercially.

I’m working with a company currently who are trying to segment and transform their network architecture – it’s a very large, complex, multi-domain environment.  It’s a lovely project to be involved in, I feel like I’ve learned so much about the thought processes customers go through when adopting new technology.  It’s not just the security considerations, or the commercial considerations, but it’s also the business issues it resolves – allowing for compliance (internally and externally) to be achieved, it’s about addressing ‘how’ the user interacts with the network, with data, with applications, with third party tools, cloud, other users, and the outside world.

I’ll go back to my original question and ask it again – is there more businesses can do, can you really throw endless trunks of money at a problem and still have a problem??  I’ve just asked one of my customers who I’m fortunate to be able to call a ‘friend’ too and his response was “being a CISO is a thankless task, its utterly endless”.  I think it goes back to my comment about trying to balance security with innovation, change, and quite simply having to keep up with the times.  So yes, having ‘endless trunks of money’ to invest in security can still leave you with a problem, of course it can, it’s just a different kind of problem.  Something else to think about, something else to manage, something else to integrate.

There are now several solutions within the Armadillo Managed Services portfolio that are as innovative as anything we have seen before.  CASB, Network Segmentation, Soft-Defined Networking, tools designed at allowing the users and the business to ‘move’ together towards this holy grail of ‘digitisation’, allowing me as a user to work from home, using any device, and any application, but securely.  At Armadillo, more than ever before, security professionals are beginning to ask about innovation and how that can help security achieve it’s ultimate task – avoiding my Google News Alert!!

Written by: David Newson, Client Director at Armadillo.