Too many cooks spoil the broth. A similar thought applies to the information security space, where the plethora of security vendors are sowing even more confusion among CISOs and IT professionals who are already overwhelmed by mounting threats, shrinking budgets and onerous compliance requirements.
Consequences of the Silver Bullet Theory
Over a year ago, the market was already teeming with about 1,600 security vendors. That number is only rising. Rapidly. At first glance, that would seem like a fitting trend to counter the legion of cyber threats spawning everywhere. More bad guys? Ok. Let’s bring in more good guys. Alas, that approach has proven to not work.
What’s happening now is that many of these so-called ‘good guys’ are trumpeting their products as silver bullets. But in reality, there’s not a single product that can address a wide range of threats – let alone, all threats. In fact, many of these information security products are just point solutions, i.e., they only excel at countering one set of threats. Why is this? In my opinion, vendors are more focused on having an easy sale and quick go-to-market, rather than tackling the difficult problem of tying together all the existing point solutions.
Thus, CISOs who are looking for a security solution for a particular problem have to peel off layers of market speak to unravel what each product actually does. They then must factor in their organization’s actual risks, budget, compliance obligations, and so on, to determine the best fit. Not so easy if you have several solutions to choose from, and several problems to solve.
It gets worse when these silver bullet “solutions” meet business executives who are easily attracted to shiny new objects. When this happens, their organizations end up acquiring more security products than they need and can properly execute on. The arrival of these point solutions, combined with a constantly evolving threat landscape, puts additional stress on already overloaded IT departments fraught with cyber security staffing issues. At the end of the day, the CISO responsible for maintaining these “shiny new objects” are then challenged to control their budgets on top of managing the politics that come with these purchases.
As a consequence, CISOs are forced to limit themselves to short term instead of forward-looking, multi-year security strategies. Rarely do you see CISOs whose strategy exceeds a 1-year plan, as they’re often too engrossed in addressing the most high-level risks of today. These two major gaps, i.e. the lack of cybersecurity skills and the absence of long term plans, are leaving organizations inadequately prepared to fight emerging threats.
A Better Approach
While no single security product can ever be a silver bullet solution, that doesn’t mean such a solution does not exist. If you can somehow consolidate your existing best-of-breed information security tools and make them work cohesively in strengthening your organization’s security posture, that’s your silver bullet solution right there. Unfortunately, because of the skills gap we mentioned earlier, it’s highly unlikely to build such an indestructible ecosystem within your IT department.
Your best bet would be to partner with your vendors and a reputable SECaaS (security-as-a-service) provider who can develop that solution for you. What you’re looking for is someone who can:
- Help solve your organization’s immediate tactical problems;
- Act as a consultant; and
- Help build your long-term information security strategy.
Ideally, that solution would be dynamic, nimble, and DevOps-integrated. That means, it would already be suitable for imminent, large-scale changes such as cloud migrations, as well as can easily adapt to any new, unforeseeable changes within the technology industry.
Since 82% of businesses are still in traditional (on-premise), collocation or non-cloud assets, the solution should be able to secure those traditional IT infrastructures, while also inherently securing any assets that will be moved to the cloud, considering that cloud adoption rates are approximately between 2-4%.
The biggest challenge lies in finding the right SECaaS provider as a true business partner. Some traditional MSSPs have ulterior motives, so you need to establish a very transparent relationship to avoid situations wherein you’re forced to acquire products (peddled by the provider) that’s not actually needed.
One more major gap in information security strategy is the inability to leverage for business enablement. Too often, security is treated as a loss center. What many organizations fail to realize is that if you have a well-thought-out security architecture, it’s possible to turn that loss center into a profit center.
For instance, if you have a highly secure infrastructure and can demonstrate that, it’s going to be much easier for you transact with companies who have exceptionally high-data security requirements. Businesses who are answerable to data protection laws and regulations will always choose you over competitors if those competitors fail to exhibit the ability to provide adequate protection to sensitive data.
Since your core business likely has nothing to do with information security, you need dedicated security professionals to help bridge these gaps for you. It’s only when you’re finally able to do this, that you can start building information security strategies that deliver substantial value to your business and allow you to truly focus on meeting goals and creating revenue – without the debilitating worry of a data breach.