More data is not inherently better. In fact, without the right tools, strategies, and skills in place, an abundance of data can hinder rather than help an organisation’s cyber security efforts. To be truly secure and avoid breaches efficiently, companies should switch from indiscriminate data collection to prioritising quality over quantity. They can do this by investing in learning and training, shifting left in security, and cautiously embracing AI.
Context
Organisations are collecting data faster than they can make sense of it.
From vulnerability scans to compliance reports and device and application logs, the sheer volume of information organisations gather can be overwhelming. Yet, despite this abundance of data, many companies struggle to extract meaningful insights and effectively protect their assets.
To help companies address this challenge, we examine below why more data doesn’t always mean better security, how the human factor influences data management, and how AI steps in to save the day—or does it?
The article is supported by the knowledge and expertise of Tony Gonzalez, CRISC, CDPSE, QTE , a Fortune 50/500 Cyber Security Executive and Advisor, and Dan Haagman, CEO of Chaleit. Together, they offer a valuable perspective on the data overload problem in cyber security, exploring its root causes and outlining practical strategies for overcoming it.
Causes and challenges of data overload
Exponential growth
The volume of data organisations generate nowadays is staggering — and keeps growing. According to IDC, the global data-sphere is expected to reach 175 zettabytes by 2025 (from 33 zettabytes in 2018), which shows we’re witnessing an explosion in data.
For businesses, this is a double-edged sword: on the one hand, data can provide valuable insights that drive innovation, efficiency, and competitive advantage. On the other hand, organisations are drowning in data, overwhelmed by its sheer volume and struggling to extract meaningful information.
The data overload is especially severe in cyber security. From vulnerability scans, device logs, to compliance reports, the volume of information can lead to a situation where critical insights are hidden underneath mountains of irrelevant data.
Despite the wealth of available data, many businesses find themselves at a loss when it comes to effectively protecting their assets. In a 2023 report by the Ponemon Institute, 27% of organisations admitted to missing critical security events due to the overload of alerts and the inability to prioritise them.
This paradox — where more data often leads to less actionable insights — is becoming a pressing issue for cyber security leaders.
Obsession with metrics
Another factor contributing to the data overload is the industry’s obsession with metrics. Organisations often fall into the trap of measuring everything possible without carefully considering which metrics are relevant to their specific context and goals.
Both Tony and Dan agree that while the industry is making progress, the challenge is that everyone has different priorities. What’s important for one organisation may not be for another.
With a hit-or-miss approach to measurement that neglects context and clear KPIs, company resources are less effective, and the threat of exposure or compromise becomes more likely.
Organisations need to take a step back and critically evaluate what metrics are most relevant to their specific industry, regulatory environment, and are good measures of their organisations cyber security risk posture.
Competitive pressure
The pressure to remain competitive and acquire the latest, most advanced tools can often lead to the collection of excessive data, and over allocating precious budget funding.
The cyber security industry has long operated under the assumption that more data equates to better security and that the latest tools will automatically be more efficient.
However, this approach has led to what Tony calls the “shiny bobble syndrome.” Organisations invest in the latest tools and technologies for the wrong reasons. Generating vast amounts of data without purpose, and without the resources or expertise to analyse and act upon this information properly.
“We have plenty of data but not much information,” Tony notes. We see this often in the industry, where security teams are inundated with alerts, logs, and reports from various sources: firewalls, endpoint protection systems, vulnerability scanners, intrusion detection systems, and more. The result is a fragmented landscape of overlapping data points.
This is where many organisations fall short, focusing on quantity over quality in their data collection efforts. Without effective tools or methodologies to consolidate and analyse this data, the result is information paralysis — where teams cannot act swiftly or decisively due to the sheer volume of data they must process.
The challenge lies not just in collecting data but in efficiently processing it to identify truly unique and actionable insights. As Tony points out, “Having the capability to hash through all that to say, ‘Okay, this is purely the unique stuff, and on top of that, these are the ones that we really want to pay attention to,’ that’s always been the challenge.”
The skills gap
The data overload problem is compounded by the scarcity of skilled cyber security professionals and the lack of proper use of people’s talents.
According to Cybersecurity Ventures, there will be 3.5 million unfilled cyber security jobs globally by 2025. So, there is a lack of professionals throughout the industry.
At the same time, Tony explains that organisations often hire highly talented individuals with the expectation that they will drive innovation and tackle complex security challenges. However, these same professionals quickly find themselves bogged down by mundane tasks such as log reviews and routine vulnerability assessments.
He compares cyber security teams to medical professionals from the perspective of diversity of roles. Just as an ER doctor is focused on triage and a neurosurgeon saves lives through very specific expertise, cyber security experts should focus on their strengths. For example, a Security Operations Center analyst manages incoming issues, threat analysis and IR, while a senior-level executive deals with high-level plans, decisions and executive engagement to name a few things in either case. Make them switch places, and both will have a high likelihood of failure.
Companies need creative thinkers who can challenge the status quo and drive innovation. They also require individuals who can handle the day-to-day operational tasks. The McKinsey Global Institute notes that automation could solve part of the problem by taking over repetitive tasks, allowing professionals to focus on more strategic activities.
Automation can enable organisations to better manage data by automating the initial filtering and processing stages, leaving human analysts to focus on high-level insights, prioritisation and decision-making. However, as we discuss further in the article, relying on the promise of new technologies only will not yield the expected outcomes.
Reactive security stances
One area where the data problem is particularly evident is in vulnerability management.
For example, the US National Vulnerability Database (NVD) has tracked an increasing number of Common Vulnerabilities and Exposures (CVEs) over the past decades.
This growing list of vulnerabilities is an important challenge for organisations as many find themselves in a continuous state of chasing potential problems with few resources to remediate them.
The emphasis on post-launch vulnerability scanning exacerbates this issue. Tony describes it as “chasing the horse after it’s left the gate.” The traditional approach of post-launch scanning and periodic vulnerability assessments means that organisations are always playing catch-up, dealing with issues that have already made their way into production environments.
This reactive stance is often caused by fast-paced development cycles where there is pressure to deliver new functionalities quickly. “It’s all about bigger, quicker, faster,” Tony explains. Ensuring code and infrastructure cleanliness, along with addressing cloud security challenges like virtual servers and dynamic provisioning, can be complex.
The result is a growing attack surface and more opportunities for exploiting vulnerabilities. To break this cycle, organisations need to shift towards a more proactive approach, integrating security measures earlier in the development process and throughout the entire lifecycle of their systems and applications.
A proactive “shift left” approach — integrating security measures earlier in the development cycle — can help organisations reduce vulnerabilities before they become critical problems. More on this in the next section.
Strategies to deal with data overload
Prioritise quality over quantity
It’s clear that the mantra “more is better” is not yielding the best results. Instead of attempting to collect and analyse every possible data point, organisations should focus on identifying the most relevant and impactful information for their specific context.
This shift requires a deep understanding of your organisation’s architecture, asset portfolio, data and risk profile, industry-specific threats, and regulatory requirements. Instead of trying to analyse everything, security teams should focus on the most valuable data, which will help them prioritise risks and focus on the issues of organisational importance.
A focused approach not only reduces the noise in security operations but also enhances the team’s ability to detect and respond promptly to genuine threats.
Invest in skills and training
Organisations must address the widening skills gap by prioritising investments in their workforce and developing professionals who can effectively interpret and act upon security data. “You react based on experience,” Tony explains.
Experience goes beyond technical skills and requires cultivating a blend of analytical thinking, business sense, and strategic decision-making capabilities.
It’s important for cyber security and technical teams to develop talent pipelines and look for new innovative ways to address skill gaps and lessen the burden of recruiting cyber security talent.
Moreover, creating a work environment that fosters growth to retain top cyber security professionals and help them stay sharp and prepared for new challenges is essential.
Lastly, be aware of your investing bias. As @Roscoe Platt, VP of Client Services, explains in an article, "It's much easier for companies to approve a multi-million dollar spend on a vendor solution than to allocate a much smaller budget for hiring and training analysts."
Tools are important and an integral part of all cyber security programs, but they are still dependent on skilled human intervention to deliver optimum value. Skilled analysts and proper training are essential to make the most of them and the data they generate.
Shift left in security
The traditional approach of implementing security measures after development and deployment is creating too many problems down the line.
Organisations need to “shift left” in their security practices, integrating security considerations earlier in the development and deployment process. This proactive stance can significantly reduce the need for reactive vulnerability management and minimise the risk of security issues making their way into production environments.
Addressing potential vulnerabilities and security issues early helps organisations reduce the cost and effort associated with data collection, prioritisation, and remediation. The result is an improved overall security posture and a culture of security awareness among development teams.
Refine measurement strategies
Not all metrics provide meaningful insights, and an overabundance of data can obscure truly important trends and issues.
It’s crucial to regularly review and adjust your security metrics to ensure they align with your organisation’s goals and provide actionable intelligence.
Start by identifying KPIs directly related to your organisation’s security objectives and risk tolerance. These might include metrics such as mean time to detect and respond to incidents, the number of critical vulnerabilities in production systems, or the percentage of employees who have completed security awareness training.
Also, structure metrics that focus on operational performance and measurement and those that are easily explainable and can be communicated clearly to senior leaders and board directors.
You may need a few more metrics to gain clarity and connect the dots between your cyber security posture performance and cyber investments for your board conversations.
Nothing is stagnant, so periodic reassessment of these metrics will ensure they remain relevant and keep up with the changing internal and external cyber security landscape.
Embrace AI thoughtfully
As organisations struggle with data overload challenges, many turn to artificial intelligence technologies as a solution. AI and automation have the potential to help security teams process vast amounts of data more efficiently and identify patterns that might be missed by human analysts.
However, Tony and Dan warn that AI is not a magic bullet.
Tony sees AI as a tool that can “help to streamline the roles of individuals within cyber security” and potentially alleviate some of the industry’s burnout by automating mundane tasks and helping analysts become highly efficient analysts and investigators, as opposed to transaction processors. AI could free up valuable human resources to focus on more complex, strategic work that is more fulfilling and lessen the burnout effect on cyber security staff.
Dan points out that it’s crucial to approach AI cautiously. There’s a risk that AI could exacerbate the data problem by demanding even more input and generating additional tools and scanners. AI should be used as a complement to human expertise rather than a replacement for it.
"Short-term scepticism and longer-term hope" is also a sentiment echoed in Gartner's top cyber security trends for 2024. Gartner advises security leaders to be proactive in adopting GenAI technologies but vigilant regarding ethical and secure usage.
In conclusion, while AI can help streamline processes and reduce the burden on human analysts, it can also introduce new complexities. Moreover, “It’s not going to be a one-and-done; you just deploy it in and walk away,” Tony warns. Like any tool, AI systems require ongoing nurturing and fine-tuning to deliver value in the cyber security context, where new threats emerge daily.
The path forward
With the strategies highlighted above at hand, organisations can better deal with data overload and transform raw information into actionable security intelligence.
As our experts highlight, the goal is not to eliminate data collection but to create a more focused, efficient approach that enables security teams to stay ahead of threats without drowning in irrelevant information.
The path to effective cyber security in the age of big data is not about having more information but about having the right information and the wisdom and capability to use it effectively.
We must rethink our approach to data collection, analysis, and action to build more resilient, agile security operations that are truly equipped to protect organisations. More focus and simplicity will also help reduce the high levels of stress and burnout that are plaguing the industry.
If you’d like to discuss your particular data and security challenges with Chaleit’s experts, contact us. We’re happy to listen and work together to come up with the best solutions for your organisation’s needs.
Subscribe to Cyber Strategy Collective for more deep dives into real-world issues from top cyber security experts.
About the authors
Tony Gonzalez
Tony Gonzalez, CRISC, CDPSE, QTE is an award-winning CISO, leader, speaker and investor who has 30+ years’ experience in CISO, CTO, and CIO positions in pharmaceutical, biotech, specialty chemical, financial services and insurance organisations.
Tony has led multinational and highly diverse organisations for Pfizer, Chemtura Corporation, Prudential Financial and QBE Insurance, and was named one of CISOs Connect TM 2023 Top 100 CISOs in North America. He was also nominated for the ISE East Leadership Award in 2023.
Tony has built IT Security and Risk organisations in global companies from $50million to $50+billion in sales. These organisations benefited from the development of processes, policies and controls that achieve security and regulatory compliance, with a focus on actively looking for ways to reduce organisational risk while delivering business value.
Now, through Innervision Services LLC, Tony continues to provide strategic advisory and consulting services to startups and established cyber security and technology organisations to help them achieve their immediate and long-range goals and potential. His years of experience and leadership have been valuable to the organisations he has had and continues to have relationships with.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan’s vision for the industry’s future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Tony Gonzalez. Dan Haagman’s views also reflect the official stance of Chaleit, while Tony Gonzalez’s views are his own and do not necessarily represent the official position of his organisations. Both authors share their perspectives to foster learning and promote open dialogue.
