Good Enough Just Isn't Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

Alan Levine

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses have morphed over time.  

This is not to say that our arsenal today includes better defenses. Our defenses have morphed because we have seen the headlines, possibly experienced organizational pain ourselves, and we as CISOs have searched out new cyber solutions to address new cyber threats. In earlier times, we agreed ‘it’s all about the network.’ Cloud migrations and virtual connectivity, however, have modified that mantra. Now, we agree ‘it’s all about the data.’ As our cyber defense focus has shifted, so has the array of potential solutions.

Best of Breed vs. Bundle

Cyber solutions are promoted in two primary categories, and the choices CISOs make about these categories matter. On the one hand, some solutions offer – or at least presume to offer – best of breed capabilities. They propose to satisfy a CISO’s particular concern directly and completely, whether that concern is about endpoint, detection and response, network, data protection, or any other discrete layer of the cyber security stack. These solutions often operate in silos, are difficult to connect to other parts of an organization’s defense stack, and intentionally establish themselves as true one-offs within the cyber arsenal. They are superb at the mission they are intended to serve but, like the proverbial cheese, stand alone.

On the other hand, some potential offerings are bundled solutions, addressing defense for endpoint and detection and response, or network and data protection (think DLP here). Some bundled solutions go further, offering suites of combined offerings that address a wide variety, if not the full gamut, of cyber security worries. Some focus on service solutions as opposed to product solutions, but even in these cases the service provider likely offers or prefers specific products.

It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket.

What bundled solutions typically lack is any particular component that is, indeed, best of breed. This may be an unfair blanket statement, because certainly many bundled offerings include very good solutions. Nevertheless, the components of these bundled solutions are neither discrete in nature nor completely focused. More likely, bundled solutions are solution sets built to inter-operate, to play nicely with each component part, because a bundled solution is probably doomed to fail unless every part works in harmony with every other part of the bundle.

A Place for SOAR

While best of breed solutions are wonderfully capable, they can be onerous to manage. Keeping these solutions current can also be challenging. Additionally, getting these solutions to inter-operate with other parts of the stack may be difficult. A best of breed solution for example may be strong at DLP, but security teams may struggle to integrate its logs into the organization’s SIEM solution. Configuring a best of breed solution can also prove challenging, because the inherent capability of the solution is complicated. A best of breed solution may be difficult even to deploy, given that it stands by itself.

If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far.

Security orchestration, automation and response (SOAR) solutions can therefore serve a valuable purpose. They provide value by organizing disparate components of the stack into a comprehensible and manageable whole. SOAR assumes that unmanageable, disparate elements exist in the stack but they can be integrated (to some extent) under an umbrella technology that manages them as a single-threaded solution set.

If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far. Technology that is meant to be independent tends to resist cooperation and integration. This is not to diminish the value of SOAR solutions but simply to say that best of breed solutions are a breed of their own.

Spend Matters

Cost, too, is always a consideration. Although some organizations have big cyber security budgets, most organizations (especially SMB’s) aren’t so fortunate and must manage costs carefully. A bundle of cyber security solutions often can be cost effective because there’s leverage in combining purchases from a single vendor. There is, however, also risk. The consequences could be catastrophic should a bundled solution have a security flaw or other significant operational issue. What if every part of a solution set failed at once? Therein lies the madness for CISOs. A best of breed solution may be vital, but its failure shouldn’t engender failures across the stack.

Some of these solutions nevertheless aspire to uber-security. Best of breed – as in dog shows – is special, and that specialty needs to be protected. Their providers pay ‘special’ attention to things that increase customer risk and work to refine and improve the secure state of their offerings. This suggests best of breed solutions may be less likely to fail.

Capability Today vs. Strategic Roadmap

It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket. Bundle providers understand their (foundational) role in customer organizations. Their comprehensive solution sets let CISOs solve multiple issues with a single procurement arrangement.

Managing supplier relationships takes time, and every cyber security leader needs more time, not less. Fewer critical suppliers in the stack is therefore advantageous for most cyber security organizations. After all, CISOs require instant capability in the solutions they deploy. A security gap needs to be closed now, and a purchase will hopefully close it. A fulsome relationship with a bundle provider may achieve early delivery and support for addressing emergent issues.

Managing supplier relationships takes time, and every cyber security leader needs more time, not less.

A CISO also needs to understand the long-view of their suppliers, not just what their solutions do now, but what they will do going forward. Where will a product or service be in two or three years? How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator. A bundled solution may bring the CISO’s organization closer to the supplier, and this may facilitate cross-strategic planning at a deep level.  

Best of breed suppliers, by contrast, can be more difficult to get to know. These providers are sometimes smaller with niche offerings. How many employees do they have? Who will answer the phone when a CISO makes a critical call? Alternatively, it’s possible that smaller providers are more intimate and engaging about the specific solutions they provide. A CISO can build a relationship with a supplier’s senior leadership, which can prove very valuable, in terms of immediate needs and long-term planning.

The Inevitable Doesn’t Have to Be

If CISOs believed all suppliers will be successfully targeted and victimized, they’d quit and drive trucks for a living; it’s an honest job that depends only on the certainty of sources and destinations. Cyber security depends on much more: the intricacies and inter-relationships of networks, hardware, software, user behavior, the cooperation of cloud providers, the partnership of suppliers and customers, and the complicated demands and expectations of stakeholders. A CISO’s job is undeniably hard, and it’s only getting harder.  

How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator.

And that’s just the business side. Cyber criminals of every variant have figured out that there’s money to be made, heartache to be transferred, and chaos to be raged whenever they identify a vulnerability. 

Every decision a CISO makes therefore matters. Every increment of cyber strategy should be based on thoughtful examination of facts from internal and external intelligence, providing the CISO with purpose and reasoned choices. Risk can’t in most cases be eliminated, but it can be mitigated and managed.  CISOs don’t wait for the bad thing to happen. They work everyday to delay the inevitable and to diminish its consequences. 

The choices we CISOs make in what we buy, and how, also matter. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore. Regardless, every CISO knows that what matters most is the good we do. That is not a choice. It is our nature.

RELATED POSTS

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

Relationships in the Cyber Era

Relationships in the Cyber Era

The APT era is here. Attacks are becoming more common and the level of damage increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools. The current awareness is not...

The Importance of Vendor Risk Management for CISOs

The Importance of Vendor Risk Management for CISOs

If a company deals with even one third-party vendor, then vendor risk management should be at the forefront of the CISO's mind. What is vendor risk management? Vendor risk management (VRM) is the process a company takes to verify that their suppliers and providers...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Stagehand: Episode 3

Stagehand: Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...

Stagehand: Episode 2

Stagehand: Episode 2

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...

The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...

The Risk of Banking

The Risk of Banking

I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...

Effective Board Communication for CISOs

Effective Board Communication for CISOs

Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...

Mitre Disrupting Advanced Persistent Threats
Share This