As chief information security officers (CISOs) grapple with a broad range of duties — including cyber risk management, security investigations oversight, incident response, security road mapping, and providing regular updates to the C-suite and the board — the stakes are too high to go without the right tools for the job. That said, a larger arsenal of security tools isn’t always better.
Security leaders should review the set of tools they currently use and ask themselves whether each one truly supports and enables them to be as effective as they need to be. Companies often implement solutions from as many as 70 vendors, according to ZDNet. This raises concerns about the number of third parties accessing your enterprise network and data, as well as how effective all these solutions are as an aggregate.
Why CISOs Are Burdened With a Mountain of Security Tools
CISOs have a habit of implementing more and more security programs over time without decommissioning old ones, according to Intelligent CISO. This makes for a messy situation on the security bridge: We’re surrounded by security tools, and yet drowning in cyber risk. What can we do about it?
Picture the CISO getting to work and launching his or her dashboard. What does this dashboard look like today? Does it show a strategic-level view of the organization, how far along various security initiatives are and whether risks fall within agreed-upon ranges? What about potential causes and future consequences should issues remain unaddressed?
Unfortunately, the CISO today is left managing a bundle of security activities with the equivalent of an abacus instead of a graphing calculator. For decades, the security function has invested in narrow-purpose (if not single-purpose) tools, a trend we must now reverse to supplant quantity of tools with efficacy — but how?
How to Evaluate Your Security Toolbox
Every tool will have its own scope of coverage, pros and cons, dashboard, configuration, and potential customizations for our enterprise. Examining each tool one at a time to decide whether it should stay or go and what should replace it sounds like a massive headache. A better approach is to think about the value that tools should bring to the CISO and the organization. As the Intelligent CISO article put it, each tool should align to your organization’s security framework, reduce risk, and be able to measure and sustain the level of reduction.
The good news is that the past few years have seen a flurry of security investments and mergers and acquisitions (M&A) activity, which has resulted in new tools and partnerships among leading security platforms. That means the new security tool you’re considering might have the ability to integrate with existing tools, thus reducing the number of dashboards to monitor and improving the overall picture of cyber risk. Better yet, some tools leverage artificial intelligence (AI) to make sense of all of the data they have ingested.
Do Your Tools Support Your Security Strategy?
Not all tools are about risk reduction. Some tools won’t impact the confidentiality, integrity or availability of sensitive data at all. We’re talking about tools for setting strategy, reporting the organization’s maturity in its various security processes, and enabling the CISO to track, aggregate and report the levels of cyber risk to which the organization is exposed, their potential impact on business objectives, and how the organization has decided to deal with those risks.
As CISOs find themselves spending more time on the business side of the house, they should review the tools they use to ensure that they’re able to squeeze out as much useful information as possible. That includes having the right ticketing programs (in partnership with the help desk), incident response applications (in partnership with IT), incident escalation channels (in partnership with HR, legal and many more) and risk management tools (in partnership with the legal and compliance functions).
But perhaps one of the most important tools is the one that allows the CISO to think strategically about where the organization is today and where it needs to be tomorrow. This might take the form of a custom-made spreadsheet, a project management tool or a process tracker. Most importantly, such a tool should allow the CISO to assess and reflect on how effectively the organization manages its cyber risks. If a CISO were to fail in his or her ability to look at cyber risks holistically and strategically, that in itself would be a risk to the organization — not to mention the CISO’s tenure there.
The right tools should help the CISO be a more effective security leader and position the cybersecurity function as a partner of the organization. Improving the management of cyber risks means improving the quality of the data we collect, our analysis of threats and their potential impact, and our ability to discuss options for dealing with residual risks while enabling the organization to compete in a global marketplace. Waiting for the one tool that can do it all isn’t an option, but neither is continuing on the path of trying to make sense of as many as 70 security tools.
Listen to the podcast series: Take Back Control of Your Cybersecurity Now
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato