Is there too much choice in cybersecurity?

With Black Hat and DEF CON coming up and this year’s RSA Conference and Gartner’s Security & Risk Management Summit completed, I wanted to reflect on an odd dynamic we face in security, one made all the more poignant for CISOs who have walked the exhibit halls of these conferences. We have an abundance of choice in our profession. Security, however, is ultimately about prioritization.

 

  • Which assets warrant protection?
  • How should these assets be protected?
  • What is the best technology to protect these assets?

 

The image below highlights how crowded the security application and tool space has become. Estimates vary, but it’s safe to assume that there’s over 1,000 vendors in the security marketplace today with each vying for a finite security budget. Many security categories have more than 10 vendors battling for market share with their respective products. There’s not only competition within categories but increasingly among categories as one technology purports to address a security control traditionally handled by another. Selecting the most effective technologies when confronted with seemingly limitless choice is not easy.

 

"Some" of the Security Vendors at a Security Conference

 

When I was a research director with Gartner’s security and risk management practice, I had the opportunity to speak with a well over 1,000 fellow CISOs as well as CIOs and other risk-management leaders. While most of my discussions focused on my research coverage – incident response, security compliance, privacy, IT risk management, security program design & evaluation and the cybersecurity skills shortage – many discussions delved into the efficacy of specific security applications and tools. My response was consistently that our security architectures have become inordinately complicated Venn diagrams with significant overlap in feature and functionality among the applications used in our security programs.

 

The amount of choice we have comes at a significant price. All of us in the industry recognize that attracting and retaining technically-competent staff is challenging. Finding security engineers with have hands-on experience with so many different tools and applications is both costly and difficult. Further, there is the issue of defining which application or tool should function as the system of record for a given security control and how other tools and applications should integrate into the defined system of record through APIs and other integration mechanisms.

 

Beyond the operational complexity of managing so many different applications, there are financial and procurement concerns with so much choice. Too many options and approaches to address security controls generates widespread confusion during the procurement process, especially with non-technical buyers who fund projects. There is also buyer’s remorse when a specific security requirement could have been addressed with an existing application or tool had that feature been enabled or the capability configured and implemented correctly. This buyer’s remorse worsens when newly implemented security applications prove ineffectual and frankly don’t address security risk adequately. There is also the dynamic of “required” security applications – those appearing on an auditor’s checklist – versus newer technologies that solve problems in innovative ways that an untrained auditor may not understand.

 

Here’s the question that I’d like to posit to the CISO and broader security community. If you could only incorporate 5 security technologies into your environment, what would they be and why? Effectively, which 5 security technologies would produce the best return on security investment and reduce risk by the greatest amount?

 

I don’t want to unduly frame your response but I will offer some initial broad categories for consideration. Please note, this is not a question about vendor A is better than vendor B. I’d like to explore which technologies are viewed as the most effective and the rationale for their selection. This rationale may include considerations such as ease of implementation, security effectiveness, cost effectiveness, etc. As the image above notes, there are ample categories to consider including deception, network access control (NAC), firewalls, endpoint protection (EPP), endpoint detection and response (EDR), security incident and event management (SIEM), security orchestration automation and response (SOAR), intrusion detection/prevention systems (IDS/IPS), breach and attack simulation (BAS), threat and vulnerability management (TVM), identity and access management (IAM), secrets management, privilege account management (PAM), network traffic analysis (NTA), static application security testing (SAST), dynamic application security testing (DAST), security awareness training, secure email gateways, cloud access security brokers (CASB), secure web gateway, credentials management, web application firewalls (WAF), encryption, among others. Many of the technologies now have their “next generation” variants (e.g., next generation AV, next generation firewall). There are undoubtedly many other technologies. The categories above are to simply start the dialogue.

 

If you were building your security architecture from scratch, which 5 security technologies would be part of your reference architecture? Which risks are the most critical and how do these technologies reduce that risk accordingly? As I noted at the beginning of this article, security is about prioritization. Given the constraints on our budgets and staffing competencies (which we all experience), which security technologies should be prioritized first and why? Clearly, your industry and your business model will influence this analysis and should be part of how your look at this question.

 

I look forward to an open and collaborative dialogue.

 

——-

Matt Stamper is a CISO at EVOTEK, co-author of the CISO Desk Reference Guide (Volumes 1 & 2) and president of the San Diego ISACA chapter.