Cybersecurity has been with us for decades, yet it’s still a young and maturing industry—and not surprisingly. Every enterprise that cybersecurity supports is still moving along their own digital transformation journey. Some are in the early stages, lifting and shifting their on-prem workloads to the cloud. Others are well along the path, taking on new SaaS (Software as a Service) applications and developing their own cloud-native solutions to serve customers better, build efficiency into their operations, and transact with greater ease.

But all those advancements come with cyber risk. Increasingly, enterprises have recognized the new threats posed by operating in cloud and SaaS environments. However, to date, what most organizations have focused on is the protection aspect of their cloud security: keeping bad actors out. It may be a mindset left over from the on-prem days of establishing a strong perimeter. As the perimeter has dissolved as cloud and SaaS adoption has risen, it’s not only protection that enterprise must consider, but also response and resilience when those protective layers are breached.

Rebalancing Your Cyber Investment Strategy

Today, it’s likely that your organization has a cybersecurity investment strategy that is somewhere in the neighborhood of 90/10, with 90% being spent on prevention and 10% allocated to detection and incident response. At a time when enterprises hold more data than ever in the cloud (and out of their control) and cloud and SaaS attacks continue to increase in frequency and sophistication, it’s an equation that needs some rethinking.

The evolving perspective stems from a growing realization: In modern digital landscapes, cyber attacks are inevitable. Rather than pouring resources into the increasingly elusive goal of complete prevention, the focus is shifting towards minimizing the impact of these unavoidable breaches.

In today’s environment, instead of disproportionately favoring threat prevention, a more balanced allocation that allows for greater investment in detection and response is needed. A 70/30 split is a sensible starting point, but the exact figures will depend on each organization's unique needs and risk profile. Depending on the breadth of your cloud estate and the value it represents for your enterprise, over time that allocation may be 60/40.  

It’s important for executive and security teams to come together to understand what cloud and SaaS represent in terms of value, agree on the enterprise’s level of risk tolerance, and plan forward. The goal should be to maximize the impact of cyber investment dollars, while working to protect the value held within the cloud, and your enterprise overall.

Redirecting Cyber Investment to Modern Solutions

As you reallocate investment toward a strategy that elevates incident response and organizational resilience, it’s not only the amount of resources given to these areas that needs to shift. The types of solutions you spend on should be reconsidered too. For example, up to now, IR (incident response) dollars were likely designated for a retainer, so that if a breach happened you had someone on call to address the problem.

However, with the attack landscape moving at cloud speed, it’s not enough to have a team on speed dial after the fact. Enterprises need solutions that enable a proactive incident response approach so that you’re gathering and analyzing all the data you need for forensic investigation continually, before being breached. It’s also important to gain continuous value from your investment dollars—focusing on methods that strengthen your visibility, hunting capabilities, and compliance at the times when you’re “at peace,” rather than directing your spend in ways that have mostly war time value.

CIRA Supports Modern Investment Strategies

Cloud Investigation and Response Automation (CIRA) is an emerging set of capabilities designed to support the detection and response needs of modern organizations. There is an obvious benefit of transitioning from the traditional retainer model to a SaaS-based solution that emphasizes continuous monitoring, preparation, and dramatically accelerated response. Leveraging a CIRA platform helps enterprises ensure that they are prepared for inevitable incidents, can respond to them quickly and effectively, and minimize impact. By turning potential crises into manageable occurrences, CIRA isn’t simply a risk mitigation investment, but an operating expense that supports business enablement and organizational resilience.

Learn more about what’s taking the place of traditional IR for cloud and SaaS.