Most CISOs have many, if not too many, security products and tools across their enterprise, according to Jim Doggett, US VP and CISO, Panaseer. He says CISOs should first develop a security framework with the required controls to enable them to look at what products and processes achieve these control objectives.
Today’s CISOs find themselves in a highly ironic situation – the tools they bought to make their lives easier are actually causing them more headaches. It’s so easy to get caught up in the latest security craze and buy a tool to solve it. Now we have ended up with too many tools that often integrate poorly, require different expertise, and provide too much data but not an overall view to the security risk level.
Industry reports vary, but it’s estimated that the modern CISO has to contend with somewhere in the region of 55 and 75 discreet security products. There are clear drivers for CISOs to consolidate their security solutions to reduce clutter, cut costs and simplify their procedures – here I outline the rationale and proposed process.
How we became overloaded
For the past few decades, many security teams have let the technology (i.e. the security solutions) drive their security strategy. Ultimately this is letting the tail wag the dog. Good security is built from a sound strategy and framework, implemented through people, with robust, repeatable processes and technology that enables the strategy. While we have a plethora of tools to identify many security risks, we have few that reduce the risks and sustain that reduction.
Drivers to consolidate
Over time, as CISOs have continued buying tools, and rarely decommission any, it compounds the problem resulting in many companies having too many tools, with overlapping functionality and still remaining gaps in coverage. This situation is encapsulated by the fact that the vast majority of companies don’t know their security posture, or where their most significant risks are on a day-to-day basis – despite spending millions on a vast array of tools.
So yes, we need to see a consolidation/reduction in the number of security tools we use and we need to establish discipline around the process to add new security solutions. However, it’s not as simple as going through each of the tools and deciding if it is adding value or if its function is or can be provided by another tool. Instead, we need to approach rationalising security tools using two core fundamentals:
- Each security tool should align to a significant risk in the security framework. In other words, the framework drives the need for the tool, not vice versa
- Each security tool implemented should reduce risk to the company, be able to measure the reduction in risk and be capable of sustaining that reduction. This usually means the tool must be combined with processes and other tools to provide an end-to-end process that manages a particular security risk
How to approach consolidation – security framework
By developing a security framework based on NIST or some other standard and then selecting a set of security controls around each category of security, a comprehensive view of your security landscape can be developed. From that view, we can take each significant area of security and begin to develop systems and processes that achieve those controls.
Only after developing these processes do we begin to select tools that help implement and control the processes. Each tool should fulfil a specific need in the security controls framework. Here’s an example, let’s take the area of system vulnerability management. We shouldn’t start picking our tool to scan our systems until we understand all of the controls that manage the process to patch our systems on a timely and complete basis. We should only select the appropriate tool(s) once we understand what it must achieve. This example continues in the next section.
How to approach consolidation – sustainable risk reduction
The ultimate objective of having security systems is to lower the risk of an event occurring that negatively impacts the company (e.g. financial, reputational or regulatory risk). It’s important that we keep this in mind when designing processes and select security tools. As we implement security processes and tools, we need to ensure that the end solution:
- Covers the entire intended landscape across the company. For example, if we are only scanning 70% of the environment for system vulnerabilities, we may not be adequately reducing risk to the company
- Provides sufficient information to act. For example, if we select a system vulnerability scanner and it provides great detail on the vulnerability and inherent risk but does not provide context to the importance to the company or context as to the owner of the system, then the tool/system is not providing sufficient information to reduce the risk sufficiently
- Lastly, it sustains the control, meaning it should automate the control and monitoring processes. Otherwise, the risk will grow again after expending efforts and monies to remediate
To further refine the approach to tools rationalisation for security, we also need to introduce the risk element. All systems and tools do not provide the same level of risk reduction for the company. By focusing on those security domains that carry the highest risk, one can prioritise the selection and implementation of security tools.
By taking this risk-based, end-to-end, and sustainable approach to implementing security processes (and their related tools), we can begin to permanently solve areas of security that have historically remained regardless of the number of tools and money we have thrown at it. Armed with this newly available knowledge, we now have the opportunity to solve some of the longstanding areas of security permanently.
Not forgetting data quality
The problem of too many tools has steadily crept up over time. Throughout this, CISOs have also learned the hard way that despite what many security solutions state, there is no silver bullet solution to security. We always need multiple security solutions to cover the needed security controls to achieve adequate security, but not to the degree we have today.
While CISOs should look consolidate security solutions where practical, they mustn’t forget that there is also an opportunity to derive better value out of their current solutions. To cut through the noise and data coming from tools, specifically those that identify vulnerabilities and control failures, a great place to start increasing the confidence that data coming out them is complete and accurate.
By also focusing on the enrichment of the data, CISOs can drive remediation more efficiently and know what to fix first to get the greatest ROI on their security investments. It also gives rise to getting access to automated analytics and reducing the need to work through multiple reporting processes for different tools manually. With consolidation, enhanced data quality and automation, the CISO can confidently enhance their company’s cyber-risk posture.