While CISOs and other security leaders have never been blessed with unlimited budgets, many have recently felt the pinch as companies work to weather recent economic constraints. This has created a focus on maximizing the effectiveness of their existing technologies. But how to do it? J.R. Cunningham, Nuspire’s CSO, and Mike Mellor, VP of Cybersecurity Consulting, offer their guidance – read on to learn more.
When organizations can take the security technologies they have and use them to their fullest capabilities, they build stronger defenses against cyber threats, minimize the impact of security incidents and achieve stronger adherence to regulatory compliance requirements.
“What I find when I work with organizations is that it’s really around building stronger defenses,” said Mike. “They want to identify where they are from a security perspective, understand their posture and want a roadmap to be stronger for the future.”
When looking at people, processes and technology, Mike says having weak technology is a big part of the problem; however, process is No.1. When companies don’t have documented processes, there’s nothing set up in a repeatable way that can be handed off to others.
J.R. added that fixing those processes often leads to tech stack optimization off the bat.
“When we talk about tech not working, sometimes the question is, ‘When is the last time you looked at it?’ You get blank stare,” said J.R. “It’s often the processes that aren’t engineered to support technology effectively.”
Some of the common challenges to operating an optimized security tech stack include lack of skilled resources, integration, complexity and lack of management support.
“When I’m working with an organization, I’ll ask what tools are deployed and who’s responsible for each tool,” said Mike. “What I’ll often find is that companies will have tools deployed in a fashion that it’s clear they didn’t think about the need to support it – care and feeding isn’t in place. This leads to the perception that they lack skilled resources, when it’s really about the fact that they bought a tool and didn’t staff up or train appropriately.”
J.R. said lack of management support is a big issue.
“It’s not, ‘Hey my boss is a jerk,’ but more about the fact that the security tech value isn’t immediately visible,” said J.R. “The app development team can hold up phone and show a cool new widget to leadership and be clear on the revenue they expect to drive. It’s much harder to ask for things like an identity governance program, because most people across the business don’t understand the value.”
Mike suggests focusing on how the security technology is going to make management’s life better. Present it in a way that would demonstrate how the IT staff is better utilized with more streamlined processes. Let leaders know that the effort put into deploying the technology is worth it, and show why (for example, reducing staff time to free them up for other, more strategic business needs).
An asset inventory is a critical step to understanding the full picture of your security tech stack.
“We get hung up on this because doing an asset inventory is hard,” said J.R. “It’s important to realize that it’s never going to be perfect here – you’ll always have random device or database somewhere. The key is making sure you identify what you’re trying to protect.”
When you have that inventory, then it’s about seeing how well it supports the business strategy. J.R. recommends going to your company’s website and pulling the vision, mission and purpose. Put them on a whiteboard, then determine the security risks that impede the company’s ability to realize its vision, mission and purpose. After that, determine how the technology you have can mitigate those risks.
Note that you may have technology outliers that don’t directly tie to the company’s core focus – sometimes regulatory requirements mandate them. Anything else that doesn’t fit should be examined more closely and potentially cut if it isn’t critical to the function of the company.
“A lot of times, you’ll find those tools not providing any value,” said Mike. They don’t tie to regulatory requirements, but rather, someone saw a nice shiny technology that they determined the company must have – you can remove that from the stack.”
J.R. added, “I like to think about ‘use case atrophy’ – has my original use case atrophied enough that the resources I’m putting in to solve the problem aren’t working anymore?”
With the number of security technology solutions available today, it’s important to determine when to pursue one security technology approach versus another. J.R. and Mike covered three types of solutions:
“When I’m working with a client to optimize their tech stack, I look at capabilities,” said Mike. “I examine what they have, how they’re staffing, how they’re managing, any legal requirements, what’s missing and their budget. Often companies don’t have the staffing to deploy a point solution, so it makes sense for the company to look at platform solutions. And more often than not, I’ll find they’re already standardizing on a platform without even knowing it.”
J.R. agreed, “One thing that’s starting to emerge, especially true in the move to cloud – is that organizations are using platform solutions to reduce noise. For example, let’s say you’re a Microsoft shop and have a bunch of data in an AWS cloud. You can use existing Microsoft platform licenses for data protection to turn noise or volume down and lower costs.”
MSSPs are helpful for organizations that not only want guidance on what tech to leverage, but also need resources to manage that technology.
“I was an MSSP customer before I worked for one,” said Mike. “I liked the fact that I could have a toolset managed by someone else, and that if they weren’t performing, I could easily cut ties and move on to something more aligned with my needs.”
There are three areas to focus on when it comes to maximizing the value of your tech stack: people, integration and support.
“Integration is No. 1, because when your tech is integrated, it offers something close to a single pane of glass, providing better reporting and making it easier to show value across stack,” Mike said.
In terms of people, J.R. said it’s not just about training and awareness.
“It’s also important to increase awareness about your specific efforts,” he said. “Make sure the organization knows that as a security team, you have things you need to do so that when it comes time to solve problems, you’ve already laid the groundwork.”
“Make the CFO your best friend,” Mike added.
Finally, know when it’s time to get support. Most security teams don’t have the resources in-house to address all of their needs. Whether it’s specialized expertise, help with 24×7 monitoring and response, or compliance, getting the right support can help you better prioritize needs, avoid mistakes and realize valuable cost savings.