Study: Less is More in Security

Hong Kong firms are drowning in security complexity, a recent Frost & Sullivan study said.

The report, commissioned by Microsoft and entitled Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, noted that Hong Kong companies and lose up to 10% of the territory’s total GDP, or USD 32 billion.

More importantly, the report debunked popular belief that today's cybersecurity environment requires a broad portfolio. In fact, too much security tools can reduce a firm's ability to mitigate risks.

According to the study, only 33% of respondents with more than 50 cybersecurity solutions could recover from cyberattacks within an hour. In contrast, 56% of respondents with fewer than ten cybersecurity solutions recovered from cyberattacks within an hour.

"One would think that the more solutions you have, the better my scenario gets. But once it reaches more than 50 solutions, the number of security incidents jumps. Also, the recovery times become slower. It shows complexity is a big issue," Kenny Yeo, Industry Principal, Cyber Security, IoT and Connected Industry, APAC ICT Practice, Frost & Sullivan said.

Michael Montoya, Chief Cybersecurity Officer, Microsoft Asia agreed. “There is no silver bullet in cybersecurity. Defense and depth should be your strategy. The challenge though is when we look for solutions that we need, we start compiling them and end up with a security sprawl where none of the solutions talk to each other,” he said. 

Montoya, who acknowledged Microsoft itself is continually battling to reduce the security sprawl, noted that complexity is challenging but necessary.

"So, what is the right number of solutions for an organization? It is up to the organization to decide. However, a best-of-breed approach leads to a massive security sprawl. Also, threat actors know this and take advantage of the complexity," he added.

Firms need to focus on getting a holistic view of their entire infrastructure.

“Complexity is a big issue. You cannot think that you can solve security problems by investing in another solution. You need to find how you can get the view of the organization end to end,” Yeo said, adding that security teams need to ensure that proper configuration, interoperability and be professionally trained.

The study also showed that many Hong Kong firms do not think about security when they begin their digital transformation journey. Only 13% considered cybersecurity before starting a project. The majority think about it after they start the project.

“Organizations need to start delivering ‘secure-by-design’ projects to deliver secure products to the market,” Yeo said.

Meanwhile, the study showed that Hong Kong firms do not see security as a business enabler. Thirty-nine percent of respondents saw a cybersecurity strategy only as a means to protect against cyberattacks, while only 17% saw it as a digital transformation enabler.