The accumulation of security tools, products and solutions over the past two decades has created a complex toolkit landscape, with which many organisations are struggling. We take a look back at the evolution of that situation and the problems it creates with Corix Partners founder and global cybersecurity influencer JC Gaillard.
Where are the main issues and the roadblocks? What are the main operational implications? And how do break out of that type of situation?
For the past two decades, most large organizations have kept addressing cyber security as a purely technical problem.
And let’s face it: Many are failing to protect themselves, not just because the threats morph constantly and faster than they can adapt, but primarily because of endemic execution problems around the deployment of technical solutions, and the disconnect between – primarily short-termist – business cycles, and the longer timeframes required to develop cyber security maturity levels in large firms.
In short, cyber security strategies are invariably architected around technical projects and technical tools; but deployment rarely goes beyond alleged quick-wins because business priorities shift constantly, and rarely look over the mid to long-term – as would be required in many firms to deliver real and lasting change around cyber security.
CISOs leave after a few years out of frustration over slow progress (and for more money), and the technical debt keeps piling up… all tendencies which have been greatly aggravated by the COVID pandemic…
After two decades of playing that game, some cyber security practices are now operating around up to 20 or 30 different tools in large organizations.
Nothing is never joined up because it is simply the result of decades of organic short-termism, “strategic” plans which were never strategic or never rolled out, and knee-jerk reactions in response to incidents or audit observations, or panic buying ahead of regulatory inspections.
It results in complex security operational processes, poorly integrated, excessively manual, repetitive and boring for the analysts in charge of delivering them, and tremendously expensive to scale up.
To scale up if you can find the skills that is…
Because most industry sectors have woken up to the criticality of cyber security following the avalanche of cyber-attacks we have been seeing over the past decade and are now competing for a resource pool which has not grown sufficiently over the period.
But people asking themselves why the talent pool has not grown sufficiently need to look beyond educational and training issues: It is not only the talent acquisition rate which is too low across the cyber security industry, it is also the retention rate, and that is essentially linked to those dysfunctional operational processes and the “boring” entry-level jobs of many analysts, who undoubtedly didn’t get into cyber security to end up cutting and pasting data into Excel sheets or to produce useless reports simply designed to put ticks in compliance boxes. At the first available opportunity, they leave to do something more exciting, and they don’t come back…
At the heart of this, conveniently fuelled by the tech industry, lie the excessive focus on tech products to solve cyber security challenges, the reverse engineering of processes around the capabilities of tools, and the colossal accumulation of technical debt in that space over the past two decades, which is the result of execution failures and lack of priority focus by business leaders.
Senior executives who want to break out of that spiral need to stop buying more tech for the sake of it and start focusing on the decluttering of their cyber security landscape.
“For every one new solution, remove two legacy solutions” was suggested by Greg Day (at the time, VP & CSO, EMEA, Palo Alto Networks) and it sounds like a good start.
But to achieve that, cyber security leaders will have to look back at the structure of their operational processes and streamline those.
They will also have to look differently at automation and focus it on improving analysts efficiency, allowing them to dedicate more time to the challenging tasks for which they have been trained and hired.
Ultimately, cyber security leaders will have to go back where all this should have started: “People, Process then Technology”.
Technology not for technology-sake, but in support of security Processes, which are designed to protect the firm and its People from the cyber threats they face.
It is more difficult to execute and to sell internally than buying the next shiny tool to put a tick in some compliance box but stopping the creation of technical debt and bringing the existing one under control has become vital to the future of the cyber security industry.
There are real issues in the security operations space but buying more tools won’t help.
Security operational processes are intrinsically inefficient because they have been – almost always – reversely-engineered around the capabilities of specific tools selected on a whim, under pressure, just to close down audit observations, or because the CISO “used them elsewhere” …
Nothing is never joined up because there was never any over-arching vision beyond the immediate need (to close an audit point, to react to an incident). So operational tasks mushroom in all directions and become overlapping, repetitive and poorly managed.
Meanwhile, analysts are burning out at the receiving end of those excessively manual processes, and end up leaving the cybersecurity industry to get out of boring jobs where they spend their day cutting and pasting data into Excel spreadsheets to produce useless reports designed to put ticks in compliance boxes… The whole thing becomes attritive and simply alienates talent at all levels.
Once again, at the heart of the problem, lies – conveniently put there by the tech industry – the constant confusion between tool and process.
Just to take a few examples, the acronyms DLP (Data Loss Prevention) or IAM (Identity and Access Management) – by themselves – do not refer to tools or sets of tools; they refer literally to the description of processes.
Any DLP implementation project, for example, must start with an identification of key stakeholders, the sensitive data to protect, the way it is currently exchanged, the way it is currently tagged or labelled (or not), the objectives and constraints of the stakeholders around the protection of the data, the internal or external threats susceptible to steal or leak the data, finally leading to building up a way to engineer DLP (as a process) to make it work across the firm; it should include process elements such as the handling of anomalies and alerts, and the granting of temporary or permanent exceptions, themselves probably subject to some form of approval workflow (or the interfacing of the DLP process with pre-existing processes in that space).
It’s only once you have gone through that phase of analysis and process design that you should start looking for tools to enable your DLP initiative to succeed.
Starting the other way round – i.e. starting with tool selection and defining the process around the capabilities of the selected tool – is bound to create friction with pre-existing practices and the expectations or capabilities of stakeholders, leading to poor deployment, poor acceptance or both.
As CISOs, I am sure we have all done it under pressure at some stage of our careers (I know I have), but it remains a mistake, and probably one of the most costly for a CISO to make.
Because it creates distrust with stakeholders, and over time with senior management who can’t help but seeing escalating financial demands from CISOs in return for poor execution and continuing breaches.
The solution to the broader security operations problem lies in the decluttering of the cyber security estates, through the re-engineering and the smart automation of operational processes.
As I have said before, I like the suggestion from Greg Day: “For every one new solution, remove two legacy solutions”
But once again, to achieve this, you have to start from the process-end of your practice: The one-new-solution you add, has to be added from a perspective of process re-alignment and simplification; and the 2 you remove, have to be removed from the same perspective.
Not forgetting that processes are enacted by people who are creature of habits and have to be trained and led on the path of change, not just expected to go with the flow.
In all cases, process has to come first, then people, then technology.
The cyber security industry – listening to the sirens of tech vendors – has been doing it the other way round for the best part of the last 20 years.
Now the accumulated burden becomes too much to carry in the face of unrelenting threats.
Things need to change but buying more tools won’t help unless they truly have estate decluttering and smart process automation at their heart.
Keywords: Cybersecurity, Leadership, Management