The focus needs to shift from point-solutions towards a structured approach to security automation and the decluttering of the toolkit landscape.
Most large organisations are suffering from a security solutions proliferation problem which complexifies their operations beyond what is currently manageable and requires levels of resources to scale up which are simply not available in the current skills market.
This is the result of decades of organic development of cyber security practices, without any significant architectural effort over the mid to long-term, compounded by panic buying in response to incidents and knee-jerk reactions to put ticks in boxes after audit or regulatory observations.
This purely reactive approach to cyber security has had a perverse effect on the marketplace, because, in fact, it is often coupled with poor procurement and selection practices.
CISOs, under pressure on a number of fronts, often follow the path of least resistance: They go back to tools and vendors they know, or solutions they have used elsewhere.
Procurement practices, also under pressure in large firms, tend to focus on large contract values and major suppliers, allowing security vendors to stay off their radar.
Because many of those tools are purchased in urgency, from known vendors, without procurement scrutiny, there is often little pressure on prices.
Vendors can appear to be successful – to their investors – with relatively limited features because their tools are simply purchased as point-solutions and are rarely evaluated thoroughly against their competitors.
This is the engine that has led to the proliferation of tools and solutions we can see today, and has allowed countless cyber vendors to parade every year at all the tech shows.
But in addition, many of those tools are rarely deployed or used extensively, either because priorities shift, budget runs out, the CISO leaves, or the project stops after addressing low-hanging fruits.
So not only can vendors appear to be successful with relatively limited features, but they can also appear to be successful if those features don’t work very well, because they are rarely tested at scale.
This is why CISOs often need more tools to fix what the existing tools cannot do, compounding the “solutions” proliferation problem large firms are facing, and leading to the over-engineering of security operational processes, excessively manual investigation and response procedures, and SOC analysts burnouts.
Meanwhile breaches keep happening and business leaders wonder whether the millions invested in cyber over the years were really worthwhile.
CISOs and the security industry at large need to reflect on the resulting situation.
The skills gap is real across the industry and the piling-up of tools is just aggravating it.
The focus needs to shift from point-solutions towards a structured approach to security automation and the decluttering of the toolkit landscape.
JC Gaillard
Founder & CEO
Corix Partners
Those are the themes we have been exploring with techUK and Alchemmy over the past few months as part of their Cyber People Series, with a report due to come out late March.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.