When new security issues arise, it’s common to plug them with new tools to solve the problem. As a one-off, this approach can make sense. But if we constantly take this reactive approach, bringing new tools onboard to solve the latest issue, we can end up with cybersecurity tool sprawl. According to Matt Chiodi from Palo Alto Networks, large enterprises are using an average of 130 security tools. While this number of tools may give us the impression of a robust security posture, there are a number of negatives that can come with it.
One of the most obvious problems is the direct cost of each of these tools. If an organization has dozens and dozens of security tools, the cost of each one adds up, taking a significant chunk of your security budget. Not only do you have to pay for the tools themselves, but you also need to pay for the personnel to manage them. Given that security departments don’t have unlimited budgets, this means that any unnecessary, unused, or overlapping tools are taking dollars from your security budget that could be used for other purposes with clearer benefits. Think about all of the money your organization may be wasting on tools that provide limited benefit—could it be better used to bring new experts to your team?
Another major issue is the amount of data these tools will be generating and collecting—is your organization even capable of making sense of it all? Can it correlate the data streams to determine what is actually going on? If you have vast streams of data that your organization is incapable of managing appropriately, then they may not be providing the security benefit that you think they are. Sure, you may have the latest and greatest product with all of the bells and whistles, but if all it does is add to the noise, it's not bolstering your organization’s overall security.
On top of this, a large number of security tools increases complexity. The more complex your systems are, the harder they are to understand, and the greater the risk of security issues arising. Because of this, it’s best to minimize your security tooling to only include those that work cohesively together to strengthen your organization’s overall security posture.
Adopting a risk-based approach
Rather than approaching tool acquisition in a haphazard and impulsive way, organizations should take a risk-based approach to ensure that tools align with the threats that an organization actually faces, and to ensure that the security department is helping to facilitate the organization’s overall objectives.
Organizations should conduct period risk assessments that involve:
- Cataloguing and determining the value of assets.
- Listing out possible threats to these assets.
- Assessing the likelihood of these threats eventuating.
- Determining the impact of these threats eventuating.
By following this process, you can determine the risk to each asset and prioritize how you will address them. This risk-based approach gives you an excellent starting position to determine which security controls and tools your organization actually needs. From this point, you can select security tools that work together cohesively, rather than slapping a new tool on top whenever a problem arises. This helps to keep your security systems relatively simple, instead of some elaborate Rube-Goldberg machine that doesn’t actually bolster your security.