Many CISOs seek to consolidate information security solutions to reduce their security clutter, cut costs, and simplify the management of information security overall. But there are many considerations CISOs must weigh to inform these decisions, such as redundancies, costs, integration, demands on internal IT departments, and more.
To gain some insight into the most important considerations that CISOs should be weighing when it comes to consolidating infosec solutions, we reached out to a panel of information security professionals and asked them to answer this question:
"What should CISOs consider when consolidating information security solutions?"
Meet Our Panel of InfoSec Pros:
Read on to learn what our pros had to say about the most important considerations when consolidating information security solutions.
Steve Williams
Steve Williams is the CISO for NTT DATA Services, Inc. with more than 25 years of IT experience across many industry verticals, focused primarily on large global enterprises and Fortune 500 companies.
"There are three key factors, beyond the obvious answer of cost..."
That I use when making consolidation and standardization decisions: vision, value, and velocity. Vision is a two way street, and I’m looking for partners who understand my strategy and how they can best assist, while frequently sharing where they are headed and openly inviting / responding to feedback. Value measures their ability to bring solutions to me at the right time, while also pointing out potential blind spots and integration opportunities with our existing solutions. Security is a team effort, and those that collaborate and “play well with others” will be on my short list every time. Last, but certainly not least, is velocity. This is not just a measurement of how quickly a solution can be implemented, but also the human change element around adoption. I look to partners that have ready-made training guides, email campaigns, desk drops, and other means of making a solution stick.
Cameron Williams
Cameron Williams is the founder and CTO of OverWatchID, the industry's first converged identity security platform, comprising Privilege Access Management, Cloud Access Security Brokering, Identity Access Management, and Multi-Factor Authentication in a multi-tenant SaaS solution.
"The top considerations for CISOs when consolidating information security solutions are..."
#1 - Come up with a plan and determine what you are trying to accomplish. Consolidation has many benefits, but you need to have a plan to ensure you are getting the protection and features that are necessary to have a robust security plan. It is also easier to get permission from the CFO to purchase vendor products when you have a well-thought-out plan that explains how consolidation will benefit the company. Be sure to let the CFO know that a consolidated solution will result in smaller deployment team and costs, lower total cost of ownership, as well as expense recovery.
#2 - Gap analysis: It isn’t true that you have to lose capabilities in order to have a consolidated solution. Your new vendor should be a newer tech with even more features for you to take advantage of. Consolidation is great, but you don’t want to lose feature, capabilities and/or coverage that your current solution offers. Give your current situation a hardy inspection to make sure you know the features you have in place and make sure the new consolidated approach matches that list. You shouldn’t be losing capabilities. You can use this gap analysis as an RFP for vendors to respond to or present it to your CFO. A good starting point to assess must-haves can come from analysts like SANS or Forrester. They provide suggestions on what each of your systems should accomplish. If you can create your own, even better, it allows you to audit yourself and understand each system from the inside out.
#3 - Look for frictionless tech. It should be easy to install, easy to set up and easy to manage. Can you get it deployed in days, not months or years? It is important to know what you're getting into in order to ease migration.
#4 - Automation. Look for a consolidated solution with built-in automation capability or a solution that works well with your SecOps team.
#5 - Make sure the platform works well with analytics - will it work well with your current analytics or will it create additional needs?
#6 - Migration plan - make sure you have a clear plan. You should use your current system in parallel with your consolidated solution and then slowly migrate features to the new one. If the network goes down for even 30 minutes it could cost millions. Make sure you have no disruption between deployments.
#7 - Continually assessing and testing the capabilities of your new solution to ensure it covers everything it should.
Alexi Pappas
Alexi Pappas is an Auditor with Carolinas IT. Formerly a Network Security and Compliance Manager for a SaaS startup business in the Triad, she has a bachelor's degree in Network Security Management and is pursuing her CISA and CISSP certifications.
"CISO's should work with their IT committees to..."
Understand current struggles and challenges faced by the organization, including managing multiple renewal costs and vendor relationships that have heavy costs associated with each solution.
The first step would be to analyze your current infrastructure and understand every application in your corporate IT environment to identify the solutions that support these functions. You should narrow down any legacy applications that would be too expensive or disruptive to consolidate and exclude these applications from the strategic plan of consolidation.
Next you will need to determine whether your integrated solution will be on premise with company-owned hardware or cloud-based with annual storage costs typically associated with services such as log ingestion from a SIEM.
A CISO should evaluate a Total Cost of Ownership (TCO) for maintaining multiple vendors and relationships – this will give you a good idea on budgeting costs over a span of [1-3 years]. Costs can be negotiated by your current partner or reseller you work with and also by renewing in three-year blocks instead of annually, where you can cut costs by paying for more years upfront.
A Return on Investment (ROI) is suggested in conjunction with a TCO, in that an ROI can quantify the benefits an organization will realize from the consolidation of vendors and centralized IT solution management. Single Sign On (SSO) can improve security by end-users because they are less likely to write down their passwords by having only to manage one password instead. You can also make your SSO solution multi-factor for additional security.
In short, 83% of organizations believe that consolidating as many systems as possible to a single vendor would be desirable. There are numerous and competitive options out there today to begin the conversation with a reputable reseller who can steer you in a direction to initiate a seamless vendor selection for a consolidated solution.
Paul Love
Paul Love is the Chief Information Security Officer for CO-OP Financial Services, a provider of payments and financial technology to credit unions. Paul has more than 25 years of experience in risk management, financial services and technology and was previously the Senior Director of Governance, Risk and Compliance at Freddie Mac.
"The consolidation of Information Security solutions is..."
A noble and desired goal. There are two main issues that need to be addressed in doing so successfully.
First, ensure you don’t limit your objectives because of tool constraints. This means that if the tools you are using aren’t meeting your needs, consolidating those tools only makes the problem more pronounced. For example, if tool A meets most of your needs and, in order to integrate with tools B and C, you have to remove some of that functionality or capability, make sure you understand the trade-offs and what it takes to reduce the impact to the team and the mission.
Second, it is very important to properly plan and understand the consequences of integrating tools from a disruption and cost standpoint. If you are choosing multivendor solutions, understanding the complications of the integration is key. If it is complicated to get the needed functionality initially, imagine what will be the case when the vendor releases a patch or major upgrade. You may have a critical dependency on a capability that forces you to stay with an old and eventually unsupported vendor solution because you introduced too much complexity at the beginning.
Jason Sinchak
Jason Sinchak is the Founder/CEO of Emerging Defense and Founder/CTO of Sentegrity. Jason started his career in the early phases of cybersecurity at a big 4 firm. Upon noticing the demand and market, he left to become CEO and founder of two security firms. Jason specializes in building cybersecurity programs using his technical expertise in penetration testing, breach investigation, and mobile device security.
"As a cybersecurity consultant and startup founder..."
I help CISOs build new or transition their information security programs. It can be difficult at times to see past vendor products and point solutions that offer quick wins. Many CISOs fall victim to purchasing solutions in response to the absence of skilled professionals and hope that it will fill the gap. These quick wins often fail once a solution is procured and installed due to a lack of overarching strategy as to how the solution will work together with other solutions to achieve a particular cybersecurity goal. The solution becomes a silo with poor operationalization and very loose fit with other information security processes necessary to extract value from the tool.
The best way to consolidate tools/solutions is to develop strategies for each capability that the organization would like to possess. A capability can range from incident response, monitoring, threat intelligence, etc. Once the strategy is in place for each capability, every solution a CISO possesses should be mapped to specific areas of that strategy. If a solution does not fit within a strategy or map to it in a way that adds value, it should be discarded.
In the absence of a strategy, solutions can be mapped to industry or compliance frameworks such as NIST, SOC, HIPAA, COBIT, etc. From a technical security perspective, solutions can be mapped back to adversary behaviors that cause a data breach. Good overage here can ensure that the organization has capabilities in the areas most commonly exploited by adversaries.
This process ensures that gaps are identified. For example, if a particular monitoring strategy desires to identify malware or malicious web traffic, the absence of an available solution to afford that capability will be obvious. Gaps in security solutions and ultimately the controls they provide are what leads to a data breach.
James Doggett
James Doggett is the CISO and SVP North America of Panaseer. James previously served as the Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente, and was Managing Director of JP Morgan Chase, the division responsible for Security Services IT Risk.
"Consolidation is best approached by..."
Developing a security framework aligned with the required controls, so CISOs can then look at what products and processes achieve these control objectives. I found this to be a better approach than just continuously adding tool after tool. By relating each product to the controls they help achieve, CISOs can start to eliminate duplicate tools and help ensure they are covering the most important controls first.
Rich Reybok
Rich Reybok serves as the head of R&D for ServiceNow's Security Operations and Governance, Risk, and Compliance offerings. Rich has held a number of CISO positions in addition to his software engineering background. This background provides ServiceNow a unique blend of software engineering and practitioner experience into its product offerings.
"The important thing to ask yourself when consolidating is..."
Why do I have each solution in the first place? What often happens over time is security teams become dependent on one feature that a certain product does really well. Maybe it streamlines a manual process or maybe it has a certain piece of data that none of the other tools have. Sure, 80% of it might be duplicative to the security data set as a whole, but it becomes indispensable, so you get tool sprawl. When thinking about consolidation, too often we find ourselves between a rock and a hard place. Teams are forced to decide what to give up in terms of detection or protection to consolidate and reduce costs. Often times, the costs aren't associated with budget, but rather the opportunity costs associated with having to tune, maintain, and train staff on so many solutions. Alternatively, security teams can consolidate under an umbrella of automation and a Single Pane of Glass view for the tooling. They can reduce the opportunity costs and train staff on one solution. It also provides a much easier experience to swap out or replace aging technologies with newer, more advanced capabilities under the covers of automation.
Rick Costanzo
Rick Costanzo is CEO of Rank Software, which improves cybersecurity by using AI and machine learning to accurately find anomalies and by incorporating context to separate the bad actors from false positives in real time.
"Right now, the market is convinced that AI, machine learning, and behavioral analytics will help improve information security..."
Unfortunately, an unintended consequence of these emerging technologies could potentially be making the lives of CISOs and their teams much more challenging.
Today, anything that AI identifies as an anomaly is considered a potential threat. The problem with this approach is that many of these threats are false positives. According to one recent survey, 37 percent of large enterprises receive more than 10,000 alerts each month. Fifty-two percent of those alerts are false positives, and 64 percent are redundant alerts. Using current systems, companies are then left to manually review thousands of AI generated false positives every month. Current systems lack the contextual data to give security analysts the tools to thoughtfully assess threats.
The rising number of threats, the unmanageable number of false positives, and the lack of context are several of the factors creating a shortage of 2 million cyber security professionals worldwide. In addition to the massive shortage, the Information Systems Audit and Control Association found that less than one in four candidates who apply for cyber security jobs are qualified. As with data science, you can’t fake being a security analyst.
CISOs must get ahead of these problems by consolidating platforms, while assuring the platforms include the right tools to provide proper context to AI results.
Consider this example. An employee accesses an internal network server and data sources that he’s never accessed before; these activities are flagged as potentially malicious. The same employee is also viewing web content that no one in the organization has ever previously accessed. Malicious activity? Maybe. Without the proper context, we can’t be sure. The employee could have been re-assigned to a new team and is working on a completely new project that required massive amounts of external research. Regardless, IT has to manually process these false positives and is ill equipped to paint a clear picture of the situation. This eats up precious time and resources.
Tony DiMichele
Tony DiMichele is Founder & CEO of DiMichele Cyber Strategies, a specialized cyber security consulting and managed services firm. Based in Pottstown, Pennsylvania, DiMichele Cyber Strategies provides services ranging from strategic security program development to technical implementation and execution to clients in the financial sector.
"Solution consolidation should be somewhere on every CISO’s agenda..."
If it isn’t today, it will be tomorrow. Consolidation requires careful consideration of several factors, including organization risk profile, team skillset, functional capabilities, enterprise compatibility, data integration features, and, of course, total cost of ownership. CISOs should recognize that while solution consolidation provides several benefits, it may come with a cost to program agility. Recognizing and planning for this from the onset allows the organization to pivot with evolving threat surfaces while maintaining strategic consolidation goals.
Gregory Morawietz
Gregory is a IT Security Specialist at Single Point of Contact with over twenty years' of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
"There are many common problems that security solutions create when you buy them or implement them..."
1. Alert overload. It is great that you have 20 applications reporting every issue that occurs on your network, but that will require a huge amount of oversight and analysis. You will need to move between applications.
2. Remediation. Even after you have collected all of these alerts and you are getting the meaningful ones reported to you. You will need to have the trained security staff to remediate all those and future issues.
3. You will need to understand how future issues will affect the enterprise, which means that you will need to adapt and train your staff to be able to understand future or upcoming issues as well as ones that already exist.
What you need to do is have a single pane of glass system where you can see your existing issues consolidated into one location. You need a system that has predictive or Artificial Intelligence that can predict active or new issues.
W. Fred Cobb
W. Fred Cobb is the Vice President of Services at Sword & Shield Enterprise Security.
"When consolidating security solutions..."
CISOs should be cognizant of introducing holes in their current layered cyber defense strategy. If a CISO consolidates their current arsenal of 30 security tools into two to three proverbial Swiss Army knife products, are the Swiss Army knife solutions as good as the individual tools they are replacing that have been designed to address very specific needs? Swiss Army knives are cool. MacGyver defeats at least twenty terrorists every week with his. However, they can be cumbersome when trying to get the scissors to work. The same can be true of all-inclusive security tools.
Adrian Clarke
Adrian Clarke is the CEO of Evident Proof – the blockchain, Ethereum, and token-based service that turns data into immutable proof of evidence chains.
"The most important thing to consider is..."
Whether the consolidation of information security solutions is the right choice for the company’s threat model and forward-compatible. IT isn’t something to be rushed into, but rather carefully planned. Many CISOs feel pressured into consolidation due to budgetary constraints. I’ve witnessed many examples where companies have shifted to a new model which lacks the robustness of the original.
It’s therefore crucial to proceed slowly. CISOs should consolidate over an acceptable timespan, and not overnight. Find out which aspects of the new approach work, and which don’t. Changes made due to budgetary pressures must bear in mind that initially you should run both systems in parallel which means that it can actually cost more in the short term to change. Sometimes this type of thinking goes out the window when consolidating.
Druce MacFarlane
Druce MacFarlane is the Vice President of Product for Bricata.
"A critical consideration is integration and the capacity to freely share data..."
Too many enterprises have lots of tools that don't play well with each other. An analyst survey found, for example, most financial services companies have 25 or more security tools and none of them share data. In consolidating security tools, CISOs should seek vendors that treat security data as the customer's proprietary information and have the API capacity to share data as the customer deems fitting.
Paul Makowski
Paul Makowski is the CTO, Developer, and Co-Founder of PolySwarm, the first-ever decentralized threat intelligence marketplace. Paul has spent the last 10 years in modern software exploitation, program analysis, vulnerability research, reverse engineering, cryptography, and low-level development.
"As with most things, keep it simple (stupid)..."
Complexity breeds mistakes, attack surface, and regret. Ask: How many things can I eliminate from my current setup if I adopt this new product? If the answer is one or less, the business case better be pretty darn compelling.
Favor defenses that reduce or eliminate potential for misuse. Links are meant to be clicked. Don't worry about your users clicking links, worry about using systems that are vulnerable to link-clicking. Phishing is a human problem, but effective phishing is a technological problem – choose solutions that are fail safe and eliminate complexity in both technological and human processes.
Matt Hibbard
Matt Hibbard is a public and private company CFO with a background in building and scaling innovative and high growth technology companies. With experience leading two successful IPOs, raising VC financings, and structuring various debt instruments. His expertise spans B2B and B2C SAAS companies in cybersecurity, marketplace, and fintech industries.
"Cybersecurity is going through a consolidation period with a continued increase in acquisitions..."
This better allows CISO roles and other key decision makers to go to fewer vendors with more comprehensive solutions rather than having to go to individual vendors for each use case. This is a positive trend for the market; however, this increases the need to better understand the type of redundancies the vendor has in place, and whether additional measures need to be implemented to reduce single point of failure risks.
Rodrigo Montagner
Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple IT Departments internationally. He is deeply experienced in cybersecurity, manufacturing, and global technology structures. He is currently the CEO and Founder of OM2 Tech Consulting.
"During the last 10 years..."
Cyber weapons and cyber crimes have risen at a skyrocketing speed and height. Many different and creative digital crime approaches were and are still being performed. CISOs have to deal with multiple struggles to have proper tools, and ensure that cybersecurity teams are prepared enough to utilize them in the best possible way. As a result, cyber fatigue, cyber burnout, and the tiresome process of connecting tools that aren't designed to be connected are a daily challenge.
Tools with a more integrated security technology approach should be chosen, rather than security point tools, in order to decrease cybersecurity employee training that causes time-consuming burnout. Aim for seamless and easier adaptability and integration between tech security disciplines and the overall structure of cybersecurity at an enterprise level.
Peter Ayedun
Mr. Peter Ayedun is the CEO and co-founder of TruGrid, a company the specializes in simple a secure Workspaces for businesses. He has over 20 years of expertise in Microsoft, Cisco, and Citrix technologies.
"There are many areas CISOS need to consider when consolidating infosec solutions..."
Here are the initial questions I recommend asking:
- How will we support this going forward?
- Do we have the right staff to support this or do we need to hire more staff or train existing staff?
- How will we be impacted by licensing we already have?
- Can we migrate out of this new platform if there are issues with it or will we be tied into it via licensing or integration issues?
- Where is the business based that is providing the software?
- What laws are they governed by?
- What level of maturity is the business providing the solution?
- What SLAs are in place related to the solution and what happens if those SLAs are violated?
Finn Jensen
Finn Jensen is the CEO of FastPassCorp. For more than 10 years, he has been the leader of FastPassCorp, where more than one million users have benefitted from their concepts and solutions for Enterprise Password Management. FastPassCorp is now listed on Nasdaq/Copenhagen stock exchange.
"When consolidating security solutions, remember the human aspect..."
When CISOs consider the consolidation of IT security solutions, the focus will automatically become very technical. Threats seem to come from anywhere, technical protection is needed, and this protection must be consolidated.
The human factor in security is often under-valued but might be the easiest place for an attacker to open the protective shields around the IT infrastructure. If an attacker (external or internal) can get a password to a sensitive account, all our consolidated technical protections don't help very much. A weak link is the password reset process in the service desk. If you can get a new password to a legitimate user's account from the service desk, then the door to the systems is open.
According to a Service Desk Institute research, 35% of service desk managers admitted that they don't have a management-decided authentication process for users calling in to get a new password when they have forgotten it. Of the remaining 65%, the majority have weak tests to help authenticate the users. For a person who is dedicated to making a data breach, he will prepare to answer the questions correctly. Even if the service desk has a good and secure process, we don't know how the service desk assistant reacts if he is charmed, threatened, or very busy, as we have no logging of the actual authentication process.
An IT workflow for the service desk authentication process can remove this weak link. Just taking away the privileged passwords from the service desk assistants is a big step forward to protect the infrastructure. Combining the IT workflow with end-user self-service even means productivity gains for the service desk, although the authentication process for the few calling in will take longer time.
Consolidation of IT infrastructure should include the human aspect as well as the technical tools to cover the reality that security can never be stronger than the weakest link!
