If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming “we have the solution” is almost equally exhausting.
Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce complexity and remember that less can be more when done right.
Strike the right security balance
To begin with, picking the right security solutions should be driven by two questions: what are the right solutions for you, and how do those solutions interact with each other?
The answer to the first question begins with risk management and business impact considerations. Depending on your business operations and configurations, you may need a strong defensive posture in one area while opting to accept risk elsewhere.
However, determining how separate solutions interact with each other can be more difficult. Where the first question drives your strategy, the second question drives operations. Therefore, as we examine some pros and cons of tech stack diversity, keep these themes in mind:
- Tech stack diversity does not guarantee security
- Diversity without integration is doomed to failure
- Dependence on fewer sources results in increased single points of failure
- Finding the right balance is crucial.
Be mindful of the following: too much, and you end up with a Gordian Knot that eventually requires a total tear-down to fix. Too little, and you get knocked over by a box of tissues.
The costs of an overly diverse tech stack
Defining the limits of your tech stack is critical to success. You cannot be everything to everyone, even if you have a near-bottomless pit of resources to draw from, and those who do are certainly in the minority.
Therefore, your first step is to set tech stack borders to meet your business needs from an operational and security perspective. Without them, you will end up with mountains of misconfigurations and security tools destined to conflict. Failure to plan begins the Gordian Knot: risks grow and changes become more difficult.
If you do not have the luxury of building an estate from scratch and need help setting borders, “replay” some incidents through your system to find gaps. The MITRE ATT&CK framework is a great way to help you perform that replay.
Remember, you have a lot happening – on-premises, cloud, networking, storage, servers, virtualization, monitoring, configuration, filtering and more – just to keep your system operational. There are three good reasons not to further complicate your system with duplicate security tools: it is wasteful, difficult to maintain and limits interoperability.
The costs of failing to integrate
Before we continue, let’s pause for a moment and think of a small sample of monitoring and control systems that belong in a security tech stack:
- Firewalls
- Web application firewalls
- Intrusion detection/protection systems
- Email protection
- DDoS protection
- Encryption and key management
- Certificate management
- Identity and access management
- Privileged access management
- Vulnerability and patch management
- Endpoint protection
- Gateways
- Active directory
- Load balancers.
You get the point. And, of course, this list is by no means exhaustive or complete.
There is a theme here: not only do you need all these monitoring and control systems to protect your system, but you also need them to work well together. Having two antivirus solutions does not double their strength. Apart from drawing on valuable resources, related solutions may be duking it out with each other. As a result, this makes understanding vendors, their tools, their capabilities and their requirements a management issue all on its own.
Equally important, do not think for a moment that managing security controls is somebody else’s problem if you sign up for third-party services. On the contrary, under the “shared responsibility” model, firing something off to the cloud still means you have work to do, like patching and privilege control. Or there may be additional services you need to “turn on,” which, unsurprisingly, come at an additional cost.
The costs of dependency
You may be thinking the one-stop-shop model is appealing: just find the solution that pulls everything together and reduces conflict, right?
Not so fast. Even as more vendors begin to offer end-to-end technology and security suites, vendor lock and disaster recovery illustrate why this is an issue.
For example, imagine all your offerings built around one solution, with all tools integrated. What happens if that service goes down? Did your operations screech to a halt? Can you pick up and go elsewhere, or are you at the mercy of your one-stop shop now? This is a perfect example of where a lack of technology and security diversity can haunt you. You have just been knocked over by a box of tissues.
Think of multi-cloud deployments and virtualization. Being service-agnostic is a smart strategy if you can pull it off.
The benefits of minimizing complexity
The sweet spot is in minimizing vendor lock while reducing the number of tools deployed. Some tools communicate well, even if they are not from the same vendor. Some resources even serve as bridges, giving you that “single pane of glass” view you really want to strive for. Partnerships help navigate you through the process, too, such as The Open Cybersecurity Alliance (OCA), which is guided by the principles of:
- Product operability
- Security tool integration
- Open security
- Trust and transparency
- Collaborative communities
- Open governance.
The driving force here is to “connect [the] fragmented cybersecurity landscape and enable disparate security products to freely exchange information, out of the box, using mutually agreed upon technologies, standards and procedures,” as the OCA states. This is a great way to further improve your cyber resilience.
Seek dependability, not dependence
Improved security can be achieved through reduced complexity in your system – imagine diverting all those maintenance hours to security efforts. That may mean fewer tools and vendors but better operability and integration. That is dependability.
You want to avoid becoming beholden to a limited amount of tools and vendors, leaving you stuck if they go down. That is dependence.
Above all, be smart about where you invest. Less can be more.
Senior Director, Educator and Author