November 17, 2022 By George Platsis 4 min read

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming “we have the solution” is almost equally exhausting.

Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce complexity and remember that less can be more when done right.

Strike the right security balance

To begin with, picking the right security solutions should be driven by two questions: what are the right solutions for you, and how do those solutions interact with each other?

The answer to the first question begins with risk management and business impact considerations. Depending on your business operations and configurations, you may need a strong defensive posture in one area while opting to accept risk elsewhere.

However, determining how separate solutions interact with each other can be more difficult. Where the first question drives your strategy, the second question drives operations. Therefore, as we examine some pros and cons of tech stack diversity, keep these themes in mind:

  • Tech stack diversity does not guarantee security
  • Diversity without integration is doomed to failure
  • Dependence on fewer sources results in increased single points of failure
  • Finding the right balance is crucial.

Be mindful of the following: too much, and you end up with a Gordian Knot that eventually requires a total tear-down to fix. Too little, and you get knocked over by a box of tissues.

The costs of an overly diverse tech stack

Defining the limits of your tech stack is critical to success. You cannot be everything to everyone, even if you have a near-bottomless pit of resources to draw from, and those who do are certainly in the minority.

Therefore, your first step is to set tech stack borders to meet your business needs from an operational and security perspective. Without them, you will end up with mountains of misconfigurations and security tools destined to conflict. Failure to plan begins the Gordian Knot: risks grow and changes become more difficult.

If you do not have the luxury of building an estate from scratch and need help setting borders, “replay” some incidents through your system to find gaps. The MITRE ATT&CK framework is a great way to help you perform that replay.

Remember, you have a lot happening – on-premises, cloud, networking, storage, servers, virtualization, monitoring, configuration, filtering and more – just to keep your system operational. There are three good reasons not to further complicate your system with duplicate security tools: it is wasteful, difficult to maintain and limits interoperability.

The costs of failing to integrate

Before we continue, let’s pause for a moment and think of a small sample of monitoring and control systems that belong in a security tech stack:

  • Firewalls
  • Web application firewalls
  • Intrusion detection/protection systems
  • Email protection
  • DDoS protection
  • Encryption and key management
  • Certificate management
  • Identity and access management
  • Privileged access management
  • Vulnerability and patch management
  • Endpoint protection
  • Gateways
  • Active directory
  • Load balancers.

You get the point. And, of course, this list is by no means exhaustive or complete.

There is a theme here: not only do you need all these monitoring and control systems to protect your system, but you also need them to work well together. Having two antivirus solutions does not double their strength. Apart from drawing on valuable resources, related solutions may be duking it out with each other. As a result, this makes understanding vendors, their tools, their capabilities and their requirements a management issue all on its own.

Equally important, do not think for a moment that managing security controls is somebody else’s problem if you sign up for third-party services. On the contrary, under the “shared responsibility” model, firing something off to the cloud still means you have work to do, like patching and privilege control. Or there may be additional services you need to “turn on,” which, unsurprisingly, come at an additional cost.

The costs of dependency

You may be thinking the one-stop-shop model is appealing: just find the solution that pulls everything together and reduces conflict, right?

Not so fast. Even as more vendors begin to offer end-to-end technology and security suites, vendor lock and disaster recovery illustrate why this is an issue.

For example, imagine all your offerings built around one solution, with all tools integrated. What happens if that service goes down? Did your operations screech to a halt? Can you pick up and go elsewhere, or are you at the mercy of your one-stop shop now? This is a perfect example of where a lack of technology and security diversity can haunt you. You have just been knocked over by a box of tissues.

Think of multi-cloud deployments and virtualization. Being service-agnostic is a smart strategy if you can pull it off.

The benefits of minimizing complexity

The sweet spot is in minimizing vendor lock while reducing the number of tools deployed. Some tools communicate well, even if they are not from the same vendor. Some resources even serve as bridges, giving you that “single pane of glass” view you really want to strive for. Partnerships help navigate you through the process, too, such as The Open Cybersecurity Alliance (OCA), which is guided by the principles of:

  • Product operability
  • Security tool integration
  • Open security
  • Trust and transparency
  • Collaborative communities
  • Open governance.

The driving force here is to “connect [the] fragmented cybersecurity landscape and enable disparate security products to freely exchange information, out of the box, using mutually agreed upon technologies, standards and procedures,” as the OCA states. This is a great way to further improve your cyber resilience.

Seek dependability, not dependence

Improved security can be achieved through reduced complexity in your system – imagine diverting all those maintenance hours to security efforts. That may mean fewer tools and vendors but better operability and integration. That is dependability.

You want to avoid becoming beholden to a limited amount of tools and vendors, leaving you stuck if they go down. That is dependence.

Above all, be smart about where you invest. Less can be more.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today