Ray Biondo | Senior VP & CISO, Beyond
Are you suffering from cybersecurity tool fatigue? Are your IT and security teams saddled with multiple unmanageable tools, intelligence feeds, and procedures—usually with a significant amount of overlap—that need continual updating to adapt to today’s everchanging IT and cybersecurity architectures?
Tool fatigue is a result of the security industry’s aimless growth over the last 20 years. For too long, security professionals didn’t fully understand the various cyberattacks and how to mitigate them at the source. Instead, the industry concentrated its efforts on creating point solutions—from antimalware and firewalls to intrusion prevention/detection (IDS/IPS) and web application firewalls (WAF)—to prevent threats from penetrating a network or device.
Cybersecurity experts are not immune to the shiny object syndrome—Squirrel!
Over time, companies succumbed to the “shiny object” syndrome, believing every new tool or release was the silver bullet that could wipe out all cyberthreats. Most companies pinned a great deal of hope on new technologies they acquired, but very few of them learned how to operate, integrate, and optimize those technologies for their business needs—reducing the value they might have provided.
For those who did, they built teams comprising multiple experts—from antimalware and firewall experts to intrusion detection/prevention (IDS/IPS) and web application firewall (WAF) experts, among others. But these experts rarely worked together—as they were highly focused on their own piece of the puzzle—and the cost of hiring and retaining them was unsustainable for most organizations.
In the worst cases, companies just didn’t do anything. They bought and deployed the technology but didn’t maintain it. The thing about security technology is that it must be continuously updated to be effective, if it isn’t, it quickly begins to lag and becomes outdated and therefore obsolete in the face of the latest cyberthreats.
Why does tool fatigue happen?
- There are too many point solutions — With roughly 1,600 vendors in the space, how do you make sense of all the options? Do you even know where to start? Considering the current cybersecurity talent shortage, there’s a good chance you don’t. Many vendors provide similar solutions—with nuances—and inundate CISOs with their offerings. As a result, security executives spend an excessive amount of time sorting through their options and trying to determine which products are best for their organization.
- People don’t want to master the skills needed to maximize a security solution — Because of the talent shortage, most organizations lack staff with the required foundation to run even the rudimentary functions of a complex security solution. As a result, the “shiny object” sits idle or operates at a fraction of its capability. Eventually, a new tool arrives and is purchased, but the buyer doesn’t invest the time or money to train their staff to understand and operate it to its potential. As before, they get bored and start looking for the next best thing, and the cycle of buying and retiring tools continues.
The effect on compliance
Not only does tool fatigue aggravate an already complex security problem, it has a serious impact on the ability of compliance professionals to properly audit and report on their cybersecurity efforts.
You may want a quick and convenient solution, but ultimately meeting compliance mandates from HIPAA, PCI, GDPR, etc. is achieved in just one way: securing your IT environments and the data contained within. You must create a security program that addresses how your organization handles sensitive personal data, in all cases. That means addressing the relevant risks with the right strategies and controls.
This probably doesn’t sound fun and, I’ll be honest, getting compliant can be tough. But there’s good news: When you build the right security program from the beginning, instead of chasing the newest silver bullet, the long-term benefits outweigh the growing pains. You’ll discover a wealth of opportunities for improvement and end up with a stronger, higher-performing security infrastructure.
Cybersecurity tools are essential in protecting organizations from cybercriminals. However, there are so many tools on the market that it’s practically a fulltime job to assess, compare, and select the best options for your organization. Once a solution has been selected and implemented, you will meet many of the regulatory requirements by putting in place well-written policies and procedures and proving implementation of the security solution. Going forward it becomes essential that you have trained and qualified personnel to maintain compliance. Armor Partner, BEYOND LLC, specializes in assessing security programs, identifying potential weaknesses, recommending solutions, and helping its clients obtain security certification.
Why risk assessment and planning are crucial
The most direct road to securing your network and data starts with performing a thorough risk assessment and planning the implementation of a security solution. Because resources are typically limited, the planning stage is when you narrow your focus and direct your efforts and resources to defend against threats that have a high likelihood of affecting your business.
How do you get started? This is where having a third-party vendor experienced in conducting thorough risk assessments is valuable. A team with the right experience will not only offer much-needed objectivity to the risk assessment process but also help you ask the right questions.
You must uncover exactly who is accessing data, where they are accessing it, and how they are accessing it: Are mobile devices and external hard drives properly secured? You’ll also need to classify your servers (Do they contain personal data?), and determine which irregularities employees have used to get the job done.
Use the results of your risk assessment to identify the security controls needed to mitigate risk to an acceptable level. Organizations have different needs and capabilities, and security is not one-size-fits-all. To implement the best security program for your environment and avoid hefty, potentially business-ending fines during uncertain regulatory times, organizations should apply a security-first mindset and avoid jumping at shiny objects at all costs.
How to defeat cybersecurity tool fatigue
While no single cybersecurity product can ever be a silver bullet, that doesn’t mean a silver bullet solution for your organization doesn’t exist. By consolidating your existing best-of-breed IT security tools and making them work cohesively, you can strengthen your organization’s security posture, and that’s your silver bullet. Because of the above mentioned talent shortage, building such an ecosystem within your IT department is, unfortunately, highly unlikely.
Your best bet would be to partner with a reputable SECaaS (security-as-a-service) provider who can develop that solution for you. Look for a company that can:
- Help solve your organization’s immediate tactical problems
- Act as a consultant
- Assist in building your long-term cybersecurity strategy
Ideally, that solution would be dynamic, nimble, and DevOps-integrated. That means it would be suitable for imminent, large-scale changes—such as cloud migrations—and easily adaptable to any unforeseeable changes within the technology industry.
With a security-first mindset, you don’t have to deal with large operational burdens, managing and maintaining loads of security professionals, and, at the same time, hitting your bottom line. Instead, you can simply focus on your core business and increasing revenue.