Usually, when it comes to cybersecurity spending, people tend to try to calculate risk, savings on breach costs, compliance gaps, reputation costs. Those are all very relevant, but it turns out that for the business, one of the most important aspects of cybersecurity is speed. Below are five different aspects of speed by which a cybersecurity solution (e.g. a SIEM) should be evaluated.
Speed of Incident Response
Usually referred to as “mean time to respond” (and “mean time to discovery”), this means that the faster you know about a security incident and the faster you can respond to it, by patching/blocking/disabling/reinstalling, the lower the risk for a serious breach. Malicious actors don’t always have scripted “breach procedures” – it takes time to first entry, then to do lateral movement and ultimately reach a valuable target (e.g. a database). The faster these attempts are discovered, the less likely it is that they will get to their target. For this metric, SIEM is typically the tool of choice, giving companies the ability to spot and respond to attacks in near real-time.
Speed of Getting up and Running
It’s very important to get a security product up and running fast, and getting the protection it offers immediately. You can’t afford to do a serious investment and then get the actual value one year later. SIEM is typically considered slow to get up and running, but that doesn’t have to be the case, especially if the log collection tools are flexible.
Speed of Onboarding Employees
Employees come and go and that’s why it should be really easy to onboard a new user of a security product. Unfortunately, many products have grown in complexity over the years and sometimes it takes highly experienced people to handle them, with SIEM being a prime example for complexity. Fortunately, there are products that are as simple as a SIEM could be, allowing faster onboarding and therefore reduced risk.
Speed of Purchase
Getting a product up and running is one thing, but actually purchasing it can be complex, including the whole decision-making process, quoting, and procurement. Dragging a purchase is almost as bad as dragging installation – it adds time during which your company is less protected. That’s why two components matter a lot – the pricing model and PoCs. A pricing model that allows immediately getting a quote eliminates a whole phase (e.g. user-based pricing models are much simpler than volume-based ones for SIEM). And the ability to do a PoC makes decision-making much easier, and it saves on installation after the purchase.
Speed of the Product
You may think that a product should by definition be fast enough. We are all used to getting instantaneous Google results and so any delay in searches and reports in a security product seem problematic. When SIEM is concerned, speed is usually a function of the underlying storage technologies used. Legacy products that use relational databases may be seen as slower, whereas modern ones using non-relational storage engines can return results to any query in milliseconds.
Speed matters because the faster it can become protected, the faster a company can innovate without fear of breaches and focus on its core business.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.