Cybersecurity is at a crossroad and if CSOs/CISOs don’t step back and reflect on how we got here, we all risk choosing the wrong path. We’re in an environment where just as fast as security teams can spin up defences to ward off adversaries, threat actors find a new way to dupe employees and get their hands on precious data, intellectual property, customer information or money.
It’s natural to think the answer to these threats would be to buy more technology, more tools and hire more people to manage them. In essence, more everything. Research shows this has been the strategy many organisations have taken; industry reports put the average number of security tools in an enterprise at a staggeringly high 75.
But has this approach led to fewer instances of business compromise, disruption, breaches or successful cyberattacks? Does having too many security tools—and not having the right personnel to manage them – have the opposite effect when it comes to keeping your company safe? The complexity of your security environment contributes to inefficiencies, ineffectiveness and, ultimately, risk. And your enterprise can’t afford more risk.
These evolving and expanding technological needs have, in turn, created a larger attack surface for adversaries to exploit. So, covering that attack surface with more technology might seem like a natural reaction. Yet industry leaders feel that action is having the opposite impact. The Cyber Resilience Think Tank (CRTT) – an independent group of industry influencers/CSOs dedicated to understanding cyber resilience challenges – recently gathered to discuss this and plot a path ahead.
Keeping up with the complexity of business has in turn led to complexity in the IT and security world. For some CISOs, having too many things to secure is the biggest issue they face day-to-day.
“In trying to explain what the biggest cyber threat is in an organisation, I’d say it’s the complexity of the internal environment and the lack of enterprise thinking, operation, strategy and architecture,” said Taylor Lehmann, CISO at athenahealth. “The industry is profiting off the inefficiency of my business, not because they have a great product.”
Security vendors who offer point solutions may have contributed to this complex environment. Walk the show floor of any major global cybersecurity conference and you’ll see that complexity first-hand.
“There’s that tussle, that fight for attention,” said Dr Sam Small, chief security officer at ZeroFOX. “I have to tell you that what I do is unique and special, that no one else can solve it, that it’s a solution you need to have. Unfortunately, if you buy into that hook, line, and sinker you’re creating that complexity.”
For security teams, the complexity can have damning effects. Getting out of triage mode is impossible, and they’re triaging repetitive, low value tasks that grow exponentially with each new alert. Backlogs develop and with that, human error and oversights increase for overworked teams.
“Many organisations have turned to SIEM and SOAR solutions as a way to effectively turn up the signal, and turn down the noise, on their security data feeds - reducing the “donkey work”, time wasted on false positives, time to respond and ultimately keeping a happier and more effective security team,” said Mimecast principal technical consultant Garrett O’Hara.
Cloud is making things worse. “The complexity of platforms that can be spun up by siloed teams with no input from IT or security teams is a result of the pressure on those teams produce results quickly,” said O’Hara. “You have marketing teams spinning up cloud services, HR teams engaging cloud employee management systems and finance using cloud accounting. The result is a hugely complex operating environment with a correspondingly complex set of security tools and controls that are often retrofitted, and often create friction because security was not a strategic consideration.”
“Controls are a drag coefficient on people, data, and business processes,” said Malcolm Harkins, chief security and trust officer at Cymatic. “When you have too much friction in your environment because of the controls, you’re actually creating a systemic business risk for your organisation.”
He added, “When trying to decide which controls in your security environment you should keep and which you shouldn’t CSOs should ask: What risk do I have with these controls? What’s the total cost to own and operate them? What friction are these controls causing? Could taking out these tools improve my business velocity and efficiency?”
Does complexity drive the cybersecurity skills gap?
It’s reasonable to expect you’ll see churn in your IT organisation when your talented people are constantly putting out fires instead of focusing on bigger picture, transformative projects. And yet, there are too many open positions and not enough qualified people to fill them. Average industry standards indicate that the shortage of cybersecurity professionals has risen to nearly three million globally, with the Asia-Pacific region alone accounting for more two million.
There’s an unpalatable truth – the industry fuelled the labour shortage by selling solutions that didn’t work as intended and now needs to be held accountable.
“[The skills gap] is something we have largely created for ourselves,” said Sam Curry, CSO at Cybereason. “It’s the complexity issue that has manifested itself in human form. It’s hard to find someone who knows these 75 security solutions, sure. You need to find a unicorn, and you never do. But if you didn’t have that complexity, you may not need a unicorn after all and a lot more potential opens up.”
“Part of the skills gap is an artefact of poor product design,” Small said. “We tend to overcomplicate our interfaces, our processes and our workflows and then blame the user when they didn’t know about some esoteric feature or setting, or a critical alert that was buried on page four.”
It's time to take action
To deal with complexity in your security environment, the CRTT members recommend decluttering, beginning with the following processes:
1. Know what you have, use it, connect it. Odds are, if you’re running 75 security solutions in your environment, some of them are redundant. In fact, many of those solutions probably had capabilities you didn’t even know about when you bought them.
“You may be surprised by what the tech you already have is capable of doing,” Small said. “Instead of standing up a whole new point solution, a little bit of data transformation and a little bit of architecture can go a long way.”
Choosing platforms with powerful, extensive API capabilities is critical. “I care about platforms,” said Peter Tran, VP and Head of Global Cyber Defence & Security Strategy at Worldpay. “So, from a vendor perspective, I weed out a lot. You can pitch all the nice little toys you want. But I just want to be able to ingest it, aggregate it and de-dupe it and give to my analyst in an automated fashion.”
2. Don’t bite off more than you can chew. Consider a plan where you take a methodical approach to see incremental improvement over a finite period. Instead of tossing everything at once, Harman CISO Maurice Stebila suggested keeping those tools that reduce dwell time and put less people behind it. Push the responsibility to each business unit in your organisation, Stebila said – they need to take accountability.
3. Consider your resources. When adding new services to your security stack, ensure that it’s right for your environment, your resources and who you have on hand to manage it all. “As a rule of thumb, if you have implemented and are managing more than two tools per IT/security professional on your team, it may be time to reconsider your approach,” French said.
Set strict standards for what you’re going to introduce, and ensure complexity is part of that equation. Once you’re using a tool, Think Tank members advise that you look at the results of what it actually does as opposed to what it says it does.
Simplicity must be the name of the game for keeping your enterprise safe from adversaries. By not going this route, you open yourself up to an inordinate amount of risk, beyond even what attackers are doing on a day-to-day basis.
When thinking about solutions, consider those that will lead to less complexity, less bandwidth and skills needed to manage and lower total cost to your organisation.