The below interview was originally posted on ITSecurity Wire.
“CISOs should rely on an ecosystem of trusted partners that can supplement and guide the organization. This will ultimately be far more effective,” says Zane West, VP of Cybersecurity, NWN Carousel, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Even though on average large enterprises invest in 126 different security solutions, the high-level engineers and even CISOs struggle to leverage them for the infrastructure security? Why?
Zane West: Often, large enterprises are comprised of many disparate organizations that were created through M&A. In some instances, each organization has its own IT Security team that takes technology decisions. In others, the IT teams were merged after an acquisition, but the technology choices were made by separate groups with different agendas.
Herein lies the problem – inherited technologies that were purchased and implemented by former employees may not be fully utilized but continue to be renewed until their end of life or another compelling event. This results in poorly configured, outdated, and poorly maintained technologies, which now no longer provide the intended value.
The more technologies an organization has for a single capability, the less likely they are to be properly aligned in implementation standards.
ITSW Bureau: How can CISOs help the board members to understand the impact of investing in advanced cybersecurity tools while saving money in the long run?
Zane West: It is actually quite simple, there are two major financial factors associated with inferior security architecture: human capital and risk. With risk, what are the operational costs when a breach occurs?
They typically include, the cost of downtime (productivity losses sustained before systems can be restored), the cost of reputation damage (how many clients will the enterprise lose as a result of the loss of trust), the regulatory cost (what are the fines that the company will pay as a result of a breach, think PCI, GDPR etc.). Ultimately, the risk element comes down to what happens if an organization doesn’t invest in required solutions.
Human capital cost is the most difficult to quantify as it is not widely discussed from an operational perspective, but usually in the short term from an implementation perspective. A general rule of thumb without any automation or consolidated management platform is if an engineer has to perform all activities on a daily, weekly and monthly basis to properly maintain hardware, irrespective of its function, it takes 6.4 hours of effort per device per month.
Operational efficiencies are gained through automation, central management, vendor consolidation, and consolidation of functions onto multifunction devices. The solution is to invest in a rationalization strategy upfront and save in year 2 and 3 or to hire more people to mitigate risk, and to fully integrate the technologies in a best practice implementation.
ITSW Bureau: How can enterprises achieve the required security and agility from the latest tools in a way that will positively impact their business operation?
Zane West: I believe that organizations should make a platform decision by evaluating 1 or 2 core vendors that comprise the bulk of the security architecture. The critical requirement for selecting other solutions should focus less on the features and more about the centralized management of those technologies, and the interoperability and integration with core vendors of an enterprise.
An element that should be more heavily emphasized is the use of orchestration tools and platforms, and having dedicated DevOps resources that automate the high volume low level maintenance and operational tasks.
This is not specifically looking at SOAR platforms, but rather Ansible, Chef, Puppet or even Python scripting that can be used to perform standard functions on the device that keep it current and healthy. This provides greater operational scale, and reduces the human error risk, allowing more senior engineers to handle more complex and strategic initiatives.
ITSW Bureau: What advice will you give to today’s CISOs in terms of rationalizing the cybersecurity portfolio of their enterprises?
Zane West: A CISO has bigger priorities than worrying about features and functionality of hundreds of technologies and the 1% or 2% minor capability differences. I would first advise CISOs to simplify their choices by buying into a platform and sticking with that vendor’s offerings as the primary selection for new requirements.
If they do not have a solution, CISOs must identify their technology partner(s) best align the outcome and have a primary focus on integration and interoperability. Often, the major vendors all have similar views on the strengths of the other integrated point solutions and the same ones come out on top. Rarely is there more than 1 or 2 degrees of separation.
Secondly, CISOs must subcontract the volume, standardized activities to a partner who aligns on technology relationships. They must decide what functions they want to keep in-house. CISOs are ultimately accountable for organizational risk, own the strategic decisions and execution. However, they should not take on the responsibility of the execution of all functions. This exercise simply does not scale.
Instead, CISOs should rely on an ecosystem of trusted partners that can supplement and guide the organization. This will ultimately be far more effective. They must keep standardization of configuration, and subcontract operational management. Furthermore, they should keep business context to threat monitoring, but outsource SOC Monitoring. And finally, they should own the program management for Incident response and remediation but outsource the execution.