What Happens When Security Solutions Don’t Work?

A US county government has a serious security problem and has seen an enormous increase in the number of malware infections during 2020, as shown in the following figure.

As shown in the figure, they implemented a new security solution on April 10th and saw a slight decrease in the number of malware infections. However, a week or so later they saw a big increase in endpoint infections and so deployed another security solution of the same type on May 14th. That didn’t seem to work either, with infections increasing steadily until July, at which point they dropped significantly. However, in late October infections once again started climbing, this time faster than before. So, on November 20th a different type of security solution was implemented. That made no dent in the rate of increase for malware infections, and so five days later the county’s CISO chose to deploy a different security solution, after which malware infections climbed at an even faster rate.

Nothing seems to be working: the current level of malware infection is now about 16 times what it was when the first security solution was implemented back on April 10th. To make matters worse, the security solutions that have been implemented have seriously hampered employee productivity, so much so that economic activity in the county has been seriously impacted.

What should the county government leaders do at this point? Continue to implement one security solution after another, or perhaps try a different approach?

A CISO and security team that had a good handle on dealing with malware infections like this would take a different approach, choose different solution providers, or copy what other governments with the same problem have done in dealing with these types of malware outbreaks. There are some good examples they could follow, but their CISO won’t agree to consider them.

What would you do in this situation?