Select Page
Good Enough Just Isn't Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

Alan Levine

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses have morphed over time.  

This is not to say that our arsenal today includes better defenses. Our defenses have morphed because we have seen the headlines, possibly experienced organizational pain ourselves, and we as CISOs have searched out new cyber solutions to address new cyber threats. In earlier times, we agreed ‘it’s all about the network.’ Cloud migrations and virtual connectivity, however, have modified that mantra. Now, we agree ‘it’s all about the data.’ As our cyber defense focus has shifted, so has the array of potential solutions.

Best of Breed vs. Bundle

Cyber solutions are promoted in two primary categories, and the choices CISOs make about these categories matter. On the one hand, some solutions offer – or at least presume to offer – best of breed capabilities. They propose to satisfy a CISO’s particular concern directly and completely, whether that concern is about endpoint, detection and response, network, data protection, or any other discrete layer of the cyber security stack. These solutions often operate in silos, are difficult to connect to other parts of an organization’s defense stack, and intentionally establish themselves as true one-offs within the cyber arsenal. They are superb at the mission they are intended to serve but, like the proverbial cheese, stand alone.

On the other hand, some potential offerings are bundled solutions, addressing defense for endpoint and detection and response, or network and data protection (think DLP here). Some bundled solutions go further, offering suites of combined offerings that address a wide variety, if not the full gamut, of cyber security worries. Some focus on service solutions as opposed to product solutions, but even in these cases the service provider likely offers or prefers specific products.

It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket.

What bundled solutions typically lack is any particular component that is, indeed, best of breed. This may be an unfair blanket statement, because certainly many bundled offerings include very good solutions. Nevertheless, the components of these bundled solutions are neither discrete in nature nor completely focused. More likely, bundled solutions are solution sets built to inter-operate, to play nicely with each component part, because a bundled solution is probably doomed to fail unless every part works in harmony with every other part of the bundle.

A Place for SOAR

While best of breed solutions are wonderfully capable, they can be onerous to manage. Keeping these solutions current can also be challenging. Additionally, getting these solutions to inter-operate with other parts of the stack may be difficult. A best of breed solution for example may be strong at DLP, but security teams may struggle to integrate its logs into the organization’s SIEM solution. Configuring a best of breed solution can also prove challenging, because the inherent capability of the solution is complicated. A best of breed solution may be difficult even to deploy, given that it stands by itself.

If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far.

Security orchestration, automation and response (SOAR) solutions can therefore serve a valuable purpose. They provide value by organizing disparate components of the stack into a comprehensible and manageable whole. SOAR assumes that unmanageable, disparate elements exist in the stack but they can be integrated (to some extent) under an umbrella technology that manages them as a single-threaded solution set.

If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far. Technology that is meant to be independent tends to resist cooperation and integration. This is not to diminish the value of SOAR solutions but simply to say that best of breed solutions are a breed of their own.

Spend Matters

Cost, too, is always a consideration. Although some organizations have big cyber security budgets, most organizations (especially SMB’s) aren’t so fortunate and must manage costs carefully. A bundle of cyber security solutions often can be cost effective because there’s leverage in combining purchases from a single vendor. There is, however, also risk. The consequences could be catastrophic should a bundled solution have a security flaw or other significant operational issue. What if every part of a solution set failed at once? Therein lies the madness for CISOs. A best of breed solution may be vital, but its failure shouldn’t engender failures across the stack.

Some of these solutions nevertheless aspire to uber-security. Best of breed – as in dog shows – is special, and that specialty needs to be protected. Their providers pay ‘special’ attention to things that increase customer risk and work to refine and improve the secure state of their offerings. This suggests best of breed solutions may be less likely to fail.

Capability Today vs. Strategic Roadmap

It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket. Bundle providers understand their (foundational) role in customer organizations. Their comprehensive solution sets let CISOs solve multiple issues with a single procurement arrangement.

Managing supplier relationships takes time, and every cyber security leader needs more time, not less. Fewer critical suppliers in the stack is therefore advantageous for most cyber security organizations. After all, CISOs require instant capability in the solutions they deploy. A security gap needs to be closed now, and a purchase will hopefully close it. A fulsome relationship with a bundle provider may achieve early delivery and support for addressing emergent issues.

Managing supplier relationships takes time, and every cyber security leader needs more time, not less.

A CISO also needs to understand the long-view of their suppliers, not just what their solutions do now, but what they will do going forward. Where will a product or service be in two or three years? How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator. A bundled solution may bring the CISO’s organization closer to the supplier, and this may facilitate cross-strategic planning at a deep level.  

Best of breed suppliers, by contrast, can be more difficult to get to know. These providers are sometimes smaller with niche offerings. How many employees do they have? Who will answer the phone when a CISO makes a critical call? Alternatively, it’s possible that smaller providers are more intimate and engaging about the specific solutions they provide. A CISO can build a relationship with a supplier’s senior leadership, which can prove very valuable, in terms of immediate needs and long-term planning.

The Inevitable Doesn’t Have to Be

If CISOs believed all suppliers will be successfully targeted and victimized, they’d quit and drive trucks for a living; it’s an honest job that depends only on the certainty of sources and destinations. Cyber security depends on much more: the intricacies and inter-relationships of networks, hardware, software, user behavior, the cooperation of cloud providers, the partnership of suppliers and customers, and the complicated demands and expectations of stakeholders. A CISO’s job is undeniably hard, and it’s only getting harder.  

How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator.

And that’s just the business side. Cyber criminals of every variant have figured out that there’s money to be made, heartache to be transferred, and chaos to be raged whenever they identify a vulnerability. 

Every decision a CISO makes therefore matters. Every increment of cyber strategy should be based on thoughtful examination of facts from internal and external intelligence, providing the CISO with purpose and reasoned choices. Risk can’t in most cases be eliminated, but it can be mitigated and managed.  CISOs don’t wait for the bad thing to happen. They work everyday to delay the inevitable and to diminish its consequences. 

The choices we CISOs make in what we buy, and how, also matter. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore. Regardless, every CISO knows that what matters most is the good we do. That is not a choice. It is our nature.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This