Having worked for the last 30+ years in cyber and risk, I am well versed in the challenges involved with how to get value from each existing security investment and the complexities with approaching security tool-box consolidation. At times it feels like we built the security industry on our tools, instead of designing and implementing processes to protect the environment and manage risk and THEN selecting the tool(s) that help facilitate those processes. It’s an endemic industry issue, which is why last month we decided to probe further by surveying 200 enterprise security leaders to get insight into their experiences as well.
The results were a cause for concern. On average, security teams are grappling to manage an average of 57.1 discreet security tools. Over a quarter of respondents (26.5 percent) claimed to be running 76+ security tools across their organization. When asked how effective the current security tools were, 7.5 percent of respondents admitted that they didn’t measure the ROI of security tools at all. Less than a third (29.5 percent) measured the effectiveness of their existing tools via the reduction in overall cyber risk.
Clearly, there is a need for security teams to consolidate their security solutions to increase visibility, reduce clutter, manage costs and simplify their cybersecurity processes. However, before I outline the lessons I learned and my proposed best practice for approaching consolidation, it’s important that we are clear with why security teams are facing this situation.
For the past few decades, many security teams have let the technology (i.e., the security solutions) drive their security strategy. Ultimately this is letting the tail wag the dog. Good security is built from a sound strategy and framework, implemented through people, with robust, repeatable processes and lastly technology. While we have a plethora of tools to identify many security risks, we have few that reduce the risks and sustain that reduction and crucially, can demonstrate this value.
Over time, as security leaders have continued buying tools and rarely decommission any. When asked about the key drivers for commissioning a new tool, the biggest drivers were trying to adhere to new regulations (26.50 percent), requests from the Board (20.50 percent) and seeing that a close competitor had been attacked (15.50 percent).
This confused strategy has compounded the problem resulting in many companies having too many tools, with overlapping functionality and gaps in coverage. This situation is encapsulated by the fact that the vast majority of companies don’t know their security posture, or where their most significant risks are on a day-to-day basis – despite spending millions on a vast array of tools.
So yes, we need to see a consolidation/reduction in the number of security tools we use, and we need to establish discipline around the process to add new security solutions. However, it’s not as simple as going through each of the tools and deciding if it is adding value or whether it can be provided by another tool. Instead, we need to approach rationalizing out security tools using two core fundamentals:
- Each security tool should align to a significant risk in the security framework. In other words, the framework drives the need for the tool, not vice versa
- Each security tool implemented should reduce risk to the company, be able to measure that reduction in risk, and be capable of sustaining that reduction. This usually means the tool must be combined with processes and other tools to provide an end-to-end process that manages a particular security risk. In other words, the solution must have a positive ROI for the company.
By developing a security framework based on NIST or some other standard, and then selecting a set of security controls around each category of security, a comprehensive view of your security landscape can be developed. From that view, we can take each significant area of security and begin to develop systems and processes that achieve those controls. However, it is important to note that compliance does not equal secure. Security solutions should not be implemented solely for the sake of compliance, they also need to assist with reducing risk and adding value to the company.
It was also interesting to note that nearly of a third of the senior security respondents (31 percent) said that they were concerned that lack of visibility and insight into trusted data will impact their ability to adhere to regulations. Ensuring that tools help rather than hinder the organization must be a priority for security teams, given the increasing scrutiny from regulators. Only after developing these processes do we begin to select tools that help implement and control the processes. Each tool should fulfill a specific need in the security controls framework.
The ultimate objective of having security systems is to lower the risk of an event occurring that negatively impacts the company (e.g., financial, reputational, or regulatory risk). It’s important that we keep this in mind when designing processes and select security tools. As we implement security processes and tools, we need to ensure that the end solution covers the entire intended landscape across the company, provides sufficient information to act and lastly that it sustains the control, which should involve automating the control and monitoring processes.
It's also crucial that the rationalization is aligned to risk. After all, systems and tools have differing levels of risk reductions for the organization. Prioritizing the ones with the highest risk reduction will deliver the greatest ROI.
Ultimately, by aligning risks in the security framework, based on NIST or some other standard, with the required controls, CISOs can then look at what products and processes achieve these control objectives and start to rationalize their tool-box. By taking a rational, risk-based approach to consolidation, there is a clear process to decommission obsolete tools and solve some serious cybersecurity issues permanently.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.