One of the first things we learn regarding investment portfolios is how to spread our risk. We do this because different categories of investments will react to market changes in different ways. Rather than a “win big, lose big” approach, we are trying to spread risk through diversification and ultimately provide a steady and predictable outcome.
How we think about cybersecurity investments isn't much different. This is called a defense in depth strategy, although it might be somewhat easier to picture it as a defense in breadth strategy. While depth can focus on multiple controls to mitigate a particular risk, breadth can focus on ensuring that we have coverage across either multiple technology domains or portions of an attack or defense lifecycle.
Consider ransomware. A single control - say, endpoint protection - might catch 80% of threats. But that remaining 20% could still cripple your business. Add email filtering, and you're at 90%. Layer in application whitelisting and you're pushing 95%. Network segmentation means even if they get in, they can't move laterally. These percentages are made up, but my point is to illustrate that no single control gets you there, but the portfolio does.
To some extent, this is all semantics. What we care about is that security isn't a "one and done" investment. Not only do you have to continue to assess where you have adequate coverage, and where you are carrying risk, you also have to continually evaluate whether things you already have in place are still effective, or whether they are past their due by date.
The Reality of Security Technology Evolution
In plain English, security technology changes very quickly. What was effective three years ago may not be effective today. What was a market-leading solution may now be trailing behind. Take signature-based antivirus as an example, which was once the cornerstone of security for decades. It worked brilliantly when threats moved slowly and malware variants were limited. But today, attackers are generating thousands of malware variations daily, so signature-based detection just isn’t going to cut it. Behavioural detection and AI-driven tools have become necessary not because the old tech is 'bad,' but because the threat has evolved beyond its capabilities.
To bring it back to the analogy about an investment strategy, we are continuously evaluating the performance of our investments. And here is the cold, hard reality. I am yet to see a business that can afford every investment they would like to make, let alone have the time to implement them effectively to get an adequate return. Therefore, it isn’t always about adding more but rather ensuring you have the right quality of investment in the right areas.
Evaluating Your Security Portfolio
So how can you evaluate your portfolio of defences without just being sold more solutions than you need? A good starting point is to align with a framework and assess your current controls against that, as well as evaluate the areas of greatest risk to your business.
Here are three frameworks you could assess against:
Essential Eight – This is an Australian-based framework which focuses on eight essential controls. One nice thing about this framework is that, as well as the eight control areas, it also has maturity levels. So, you can continually look at levelling up. This framework is an excellent starting point if you are getting started on your cybersecurity journey.
NIST Cybersecurity Framework – NIST is a very well-recognised framework and focuses on different security functions that make up a comprehensive strategy. As NIST is broadly adopted, it can be a good framework to adopt, knowing that it is well understood and supported.
MITRE ATT&CK Framework – As the name suggests, this framework focuses on different attack methods used by adversaries, therefore allowing you to consider what techniques are covered by your defenses.
Building Balance in Your Security Investments
Regardless of the framework(s) you may adopt, choosing the right starting point matters. Essential Eight suits organisations getting started on their security journey or those in regulated sectors - it's focused and achievable. NIST works well if you're aligning with international partners or need a comprehensive framework that's widely recognized. MITRE ATT&CK becomes valuable once you've got the basics sorted and want to understand the specific techniques threat actors use against businesses in your industry.
The goal isn't picking the 'best' framework but picking the one that helps you see where you're covered and where you're carrying risk. Understanding whether you have a balanced investment portfolio in your cyber defences is what matters.
Read on in part 2 of Jeremy's Defence in Depth series: Why the Holes in Your Security Posture Might Be Your Best Friend.
