Cyber security pros often conceptualize a linear continuum of protection strategy: The left portion of the line represents security measures that tend to be more preventive of cyber threats, and the right portion represents more reactive approaches. In the early days of cyber security, it was believed that any shift to the right was a concession to the adversary. More recently, however, shifts right are often viewed as showing justified respect for the adversary.
Whether to shift left or shift right is a controversial point in the security community, and participants tend to be biased. Companies selling tools that use early indicators to prevent attacks will suggest shifting left, whereas companies that provide detection and response will tend to suggest the other direction. In the end, it is likely that improvements in both directions are warranted, but it is instructive to use the continuum to analyze strategic options.
To that end, principals from TAG Cyber in conjunction with security experts from Bitdefender sketched a linear continuum (see below) – and asked two dozen enterprise security experts the following questions about their endpoint security:
- Which point from 1 through 5 best represents your endpoint strategy two years ago?
- Which point from 1 through 5 best represents your endpoint strategy now?
- Which point from 1 through 5 best represents your endpoint strategy in two years?
To illustrate the type of responses we expected, an answer of 2, 3, 4 would be interpreted as a shift right in endpoint strategy over a five year period from 2017 to 2021. An answer of 4, 3, 2 would be interpreted as a decision to focus more on prevention via shift left. Answers that did not change such as 3, 3, 3 would be interpreted as a strategy that has not and does not require adjustment for any reason (or that cannot be adjusted for some reason).
To help determine the best meaning of the points along the spectrum (and between), we included some brief operational descriptions in the diagram, including higher or lower software license costs. We allowed responders to use decimals to represent some point on the line between two integers. All responses came quickly, some with explanatory narrative, but all with the request that we suppress detailed attribution. (Participating industries included ISPs, Non-Profits, Finance, Consulting, Pharmaceuticals, Tech, and Private Equity.)
The results of the endpoint survey included a dozen responses of the form X, Y, Z – as outlined above. None of the responses included a five in any position. Two included a one. The simple average of the X, Y, Z responses seems the best way to represent our findings and it was 2.0. 2.6, 3.0. Our interpretation of this is a gradual four-year shift to the right with the hopes of achieving some meaningful balance between preventive and reactive security.
It is rare that a small survey with such a modest set of responders would provide such a clearly displayed strategic trend for endpoint security. Furthermore, the trend would seem to match up with one’s sensibility of the best strategies for addressing endpoint cyber risk over this 2017 to 2021 period. It is also worth noting that all but one responders demonstrated a clear shift right, so the responses were pretty uniform.
As always, please share your own thoughts on these results. If you would like, please share your own X, Y, Z responses in the discussion forum below. Let’s see if your endpoint security strategy matches what we discovered in our survey. I look forward to hearing from you.