E R T N
P
X
E INIO
OP
What
CISOs should
consider when
consolidating
security
solutions
Most CISOs have many, if not too many, security
products and tools across their enterprise,
according to Jim Doggett, US VP and CISO,
Panaseer. He says CISOs should first develop a
security framework with the required controls to
enable them to look at what products and processes
achieve these control objectives.
T
oday’s CISOs
find themselves
in a highly ironic
situation – the
tools they bought
to make their
lives easier are
actually causing them more headaches.
It’s so easy to get caught up in the latest
security craze and buy a tool to solve it.
Now we have ended up with too many
tools that often integrate poorly, require
different expertise, and provide too
much data but not an overall view to
the security risk level. Industry reports
vary, but it’s estimated that the modern
CISO has to contend with somewhere
in the region of 55 and 75 discreet
security products.
There are clear drivers for CISOs to
consolidate their security solutions to
www.intelligentciso.com
|
Issue 05
Jim Doggett, US VP and
CISO, Panaseer
reduce clutter, cut costs and simplify
their procedures – here I outline the
rationale and proposed process.
How we became overloaded
For the past few decades, many security
teams have let the technology (i.e. the
security solutions) drive their security
strategy. Ultimately this is letting the
tail wag the dog. Good security is built
from a sound strategy and framework,
implemented through people, with robust,
repeatable processes and technology
that enables the strategy. While we have a
plethora of tools to identify many security
risks, we have few that reduce the risks
and sustain that reduction.
Drivers to consolidate
Over time, as CISOs have continued
buying tools, and rarely decommission
any, it compounds the problem resulting
in many companies having too many
tools, with overlapping functionality and
still remaining gaps in coverage.
This situation is encapsulated by the fact
that the vast majority of companies don’t
know their security posture, or wher e
their most significant risks are on a day-
to-day basis – despite spending millions
on a vast array of tools.
So yes, we need to see a consolidation/
reduction in the number of security
tools we use and we need to establish
discipline around the process to add
new security solutions. However, it’s not
as simple as going through each of the
tools and deciding if it is adding value
or if its function is or can be provided
by another tool. Instead, we need to
approach rationalising security tools
using two core fundamentals:
41