[BreachExchange] Why CISOs Should Own Application Rationalization

[Destry Winant]

https://securityboulevard.com/2020/07/why-cisos-should-own-application-rationalization/

Reducing overlap and mitigating potential security gaps are just two
reasons why application rationalization is a sound strategy

A major cybersecurity concern many organizations and executives may
not be aware of but will become more prevalent in years to come are
gaps in their IT infrastructure backend caused by tool sprawl. Tool
sprawl occurs when IT teams rapidly adopt new technology, often
leading to overlaps or missed requirements. With the IT tool market’s
rapid expansion, the sheer volume of tools businesses adopt today is
creating too much security complexity to manage.

More than $3.8 trillion was spent on technology applications in 2019
alone. With so many tools in use, it’s not always easy to identify
what is causing the security gaps. How can enterprises prevent
security incidents caused by tool sprawl?

Application rationalization utilizes modern IT tools rationalization
platforms to keep pace with the rapid adoption of tools and the
accelerated pace of change across the industry. These platforms
automate the tools portfolio auditing process and monitor the tech
stack continually to help identify overlap and gaps and make informed
change recommendations.

Chief information security officers (CISOs) are in a unique position
to own application rationalization because they have the most
significant existing knowledge, expertise and responsibilities focused
on security measures.

Here are a few reasons why CISOs should own application rationalization:

CISOs have a holistic understanding of the security concerns and IT environment

Understanding the organization’s needs from a software assets and
tools perspective is a blind spot for many organizations. This leads
to overinvestments in some areas and gaps of coverage for other
functional areas, which creates more risk for outages and cyber
incidents. Since CISOs direct their attention toward broader security
concerns, it can be easy to forget about software applications
threatening their security landscape.

Yet, in many organizations, CISOs are the principal executive
responsible for an organization’s information and data security. These
responsibilities typically include real-time analysis of immediate
network threats, educating employees on cyber risks, managing the
security architecture and conducting any investigations or forensics
in the instance of a security breach.

Based on this extensive knowledge and understanding of their
organization’s IT environment, CISOs have a unique opportunity to own
their asset management practice and consider a more significant focus
on software asset management through effective application
rationalization.

Standard operating processes need to come from the top down

While every employee and member of an organization should have some
insight into the tools portfolio, there is often miscommunication
among internal teams and departments regarding who is using which
tools. For example, one IT team may have five tools that accomplish
the same goal as a different team’s tools, causing overlap. This
unnecessary overlap and miscommunication can quickly create security
gaps, turning this into a much larger issue.

In reality, change and process optimization need to come from the
C-suite. Policies and general company culture are top-down initiatives
and to achieve full organizational buy-in and limit the resistance to
change, CISOs need to own the application rationalization process
within the tools portfolio. Start by implementing standard operating
processes and requirements for reducing the number of tools as well as
the ongoing adoption of new tools. For example, the CISO signs off on
each tool purchase following their application rationalization to
evaluate and compare to existing tools capabilities.

CISOs focus on functionality versus pure cost optimization

Tools within the portfolio can span thousands of different toolsets
adopted across each department, but they often fall within unique
categories. Some tools focus more on simple operations, while others
have greater functionality and root deeper into the system. With
multiple tools across multiple departments, it can become even more
challenging to figure out where these tools overlap.

Unfortunately, many companies fail to practice continuous IT tools
rationalization with insight into every product’s features and
struggle to determine whether it meets their organization’s needs. If
the tool has a strategic functionality and works within the
infrastructure or on an operational level, however, CISOs should be in
control. While CIOs may make the final call based on cost, CISOs
owning the tools rationalization process can help prevent blind spots
and security risks created by the gray area of IT asset management.

Conclusion

The most effective solution organizations can utilize to eliminate
tool sprawl is IT tools rationalization. Through the use of modern
application rationalization platforms, businesses can conduct a
comprehensive evaluation of their entire tools portfolio and identify
redundant or unneeded tools that may be causing major security
concerns.

A company with a systematic approach for tracking IT tools drastically
reduces its chances of succumbing to potential security threats.
Beyond threat mitigation through sprawl reduction, tool
rationalization can fight security threats by drawing attention to
legacy systems that lack enhanced security features and need
attention. Regardless of the reason, nearly every business needs to
rationalize its tools portfolio, and CISOs should play a strategic
role in the process.