[BreachExchange] The CISO's Drive to Consolidation

[Destry Winant]

https://www.darkreading.com/threat-intelligence/the-cisos-drive-to-consolidation-/a/d-id/1334910

Cutting back on the number of security tools you're using can save
money and leave you safer. Here's how to get started.

Industry reports vary, but experts estimate that the modern CISO uses
somewhere between 55 and 75 discrete security products. Vendors are
often guilty of overpromising and underdelivering — the reality rarely
lives up to the marketing. This puts CISOs in an ironic situation —
often, the tool they bought to make their lives easier ended up
causing more headaches.

This is an endemic issue, but what do you do when you have too many
tools that integrate poorly, require different expertise, and provide
too much data but not an overall view to the security risk level?
Consolidation sounds attractive. After all, what CISO wouldn't want to
reduce clutter, cut costs, and simplify procedures — but where to
start?

Begin with Data Quality
CISOs know there is no perfect solution for security. Clearly,
multiple security solutions are needed to cover the security controls.
However, CISOs should strive to maximize the value of each investment
and reduce the number of tools. To cut through the noise and data
coming from tools (specifically, those that identify vulnerabilities
and control failures), a great place to start is by increasing the
confidence that data coming out them is complete and accurate.

By taking measures to ensure that the data is accurate, CISOs can
drive remediation more efficiently and know what to fix first to get
the greatest ROI on their security investments. It also leads to
getting access to automated analytics and reducing the need to
manually work through multiple reporting processes for different
tools.

Approaching Consolidation
A key reason that CISOs have too many tools is that they have
continued to buy tools and rarely decommission any; this results in in
overlapping functionality but doesn't always close all gaps in
coverage.

We need to consolidate/reduce the number of security tools we use, and
we need to establish discipline around the process of adding new
security solutions. This is not as simple as going through each of the
tools and deciding if it adds value or if its function is or can be
provided by another tool. Instead, we need to determine which security
tools are needed by using two core fundamentals: Each security tool
should align with a significant risk in the security framework, and
each tool implemented should reduce risk to the company, be able to
measure the reduction in risk, and be capable of sustaining that risk
reduction.

Aligning with a Security Framework
By developing a security framework based on National Institute of
Standards and Technology or some other standard, and then selecting a
set of security controls around each category of security, a
comprehensive view of your security landscape can be developed. From
that view, we can take each significant area of security and begin to
develop systems and processes that achieve those controls.

Only after developing these processes do we begin to select tools that
help implement and control the processes. Each tool should fulfill a
specific need in the security controls framework. For example, let's
take the area of system vulnerability management. We shouldn't start
picking our tool to scan our systems until we understand all of the
controls that manage the process to patch our systems on a timely and
complete basis. We should only select the appropriate tool(s) once we
understand what it or they must achieve.

How to Approach Consolidation
The objective of having security systems is to lower the risk of an
event that negatively affects the company (e.g., financial,
reputational, or regulatory risk). We must keep this in mind when
designing processes and selecting security tools. As we implement
security processes and tools, we should ensure that the end solution
does the following:

- Covers the entire intended landscape across the company. For
example, if we scan only 70% of the environment for system
vulnerabilities, we may not adequately reduce risk to the company.
- Provides sufficient information to act. For example, if we select a
system vulnerability scanner and it provides great detail on the
vulnerability and inherent risk but does not provide context to the
importance to the company or context as to the owner of the system,
then the tool/system is not providing sufficient information to reduce
the risk sufficiently.
- Sustains the control, meaning it should automate the control and
monitoring processes. Otherwise, the risk will grow again after
expending efforts and monies to remediate.

To further refine the approach to security tools, we also need to
address risk. All systems and tools do not provide the same level of
risk reduction. By focusing on those security domains that carry the
highest risk, one can prioritize the selection and implementation of
security tools.

By taking this risk-based, end-to-end, and sustainable approach to
implementing security processes (and their related tools), we can
begin to permanently solve areas of security that historically have
remained despite all the tools and money we have thrown at them. Armed
with this newly available knowledge, we can permanently solve some
longstanding areas of security.

Ultimately, with enhanced data quality and automation plus the
consolidation of tools, CISOs can confidently enhance their company's
cyber-risk posture.