Skip to main content

What CISOs should consider when consolidating security solutions

July 31, 2018

Barry Lyne

Most CISOs have many, if not too many, security products and tools across their enterprise, according to Jim Doggett, US VP and CISO, Panaseer. He says CISOs should first develop a security framework with the required controls to enable them to look at what products and processes achieve these control objectives.

Today’s CISOs find themselves in a highly ironic situation – the tools they bought to make their lives easier are actually causing them more headaches. It’s so easy to get caught up in the latest security craze and buy a tool to solve it. Now we have ended up with too many tools that often integrate poorly, require different expertise, and provide too much data but not an overall view to the security risk level.

Industry reports vary, but it’s estimated that the modern CISO has to contend with somewhere in the region of 55 and 75 discreet security products. There are clear drivers for CISOs to consolidate their security solutions to reduce clutter, cut costs and simplify their procedures – here I outline the rationale and proposed process.

 How we became overloaded

 For the past few decades, many security teams have let the technology (i.e. the security solutions) drive their security strategy. Ultimately this is letting the tail wag the dog. Good security is built from a sound strategy and framework, implemented through people, with robust, repeatable processes and technology that enables the strategy. While we have a plethora of tools to identify many security risks, we have few that reduce the risks and sustain that reduction.

Drivers to consolidate

Over time, as CISOs have continued buying tools, and rarely decommission any, it compounds the problem resulting in many companies having too many tools, with overlapping functionality and still remaining gaps in coverage. This situation is encapsulated by the fact that the vast majority of companies don’t know their security posture, or where their most significant risks are on a day-to-day basis – despite spending millions on a vast array of tools.

Read the article here