Rethining Security Spend - WHO'S IN THE POLE POSITION THIS YEAR?

I’ve been doing this for over 25 years and sadly as much as the industry has evolved, not much has changed.?My clients grew up with me in the industry and most, if not all of them came from a technical background. Until I took my CISSP, I thought that security was simply buying products to solve a need and plug holes.?After consulting and working in the industry, I started to think about how to better choose products and in 2022, the challenges facing the typical CISO are vastly different than they were in 1999. When I started my career. I worked with CheckPoint Firewalls converting Ford Motor Company off the IPVAN network to the bleeding edge IPSEC standard.?IPSEC was brand new, and the debate of the day was whether stateful inspection firewalls were as good as proxy based.?

THE TYPICAL SPEND IN ALL BUT THE LARGEST CUSTOMERS

In all but the largest customers, the security decisions are often left to the technical folks.?These are the same people that grew up in our industry.?The IT "guy" morphed into the network "guy" (I had the pleasure of working in a Unix environment for most of my early career) who ultimately took responsibility for the entire IT department.?(To be fair one of my favorite customers was Susan W. so it wasn’t all men) Sadly, the methodology has largely remained the same when purchasing a solution. Most often the decision-making looks something like this:

Features>Price>Personal Bias

Where a specific feature or short term solve, is more important than the price, but those are balanced by the evaluator’s personal preference and familiarity with the solution, The previous experience with the tool or even an article that was read many years ago often impacts the decision on what to purchase.

While this methodology served the IT community when there were few choices and vendors were siloed into a specific area of technology it no longer serves the security community with hundreds, if not thousands of security controls to choose from. Compounding this issue is the “everyone does everything” approach to modern security vendors makes choosing a product quite challenging.?

GARTNER PROVIDES SOME INSIGHT OR DOES IT?

Oh, the Gartner Magic Quadrant…

Where like a stock car race, the pole position changes lap to lap (in this case year to year) and companies are judged on that lap alone.?Might be helpful to see a 3-5-10 year trend for their ability to execute and “visionary” status.?What is a visionary anyway??For one year a company is in the lead or develops a hot technology??Is that a visionary??Is their ability to execute based on a single point in time with barely a reference to the history of the organization? We don’t judge races that way, why do we feel it’s so valuable to judge technology companies where a 3-5 year spend is dependent on a snapshot in time??

Last year company X was a visionary and could execute like a champ, but a year later they have fallen out of the pole position and not the “fair haired child” any longer.?I hate to ask, but what exactly quantifies a centimeter difference on the pole position in a quadrant and what criteria for the #2 or #3 in any technology.?Do these companies perform consistently year over year or are they in the lead for a single lap do to aggressive funding or some other factor?

I like Gartner for the attempt at adding some insight to a very complicated industry, but I don’t find their reporting as useful for the real businesses I touch each day.?It’s a metric to be considered for sure but not the only one.?

A DIFFERNT WAY TO PURCHASE MAY BE NEEDED

Instead of the detailed feature lead approach outlined in the above paragraph, I am suggesting that in 2022 and beyond it might make sense to look at a more risk focused approach, where risk is a combination of factors that can be considered along with continuity.?

Before we even evaluate features, as an industry, we might want to consider the actual cyber risk as an initial step.?Looking at potential damages from a breach and exfiltration, for example instead of constantly plugging security holes with an endless array of products. By qualifying the data, the risk from that data being compromised and the damage that could occur due to the compromise, is seemingly relegated to only but the most competent security professional.??

I didn’t even understand how to think about security after my CISSP.?Still to this day, the methodology of risk was sort of an afterthought.?I am almost never brought into calls proposing “here is our fear and why and the risk to the organization…what can you suggest?”?Instead, it’s still a very technology-based approach to a problem or trend in the industry such as ransomware.

MAYBE CONSIDER THIS METHODOLOGY INSTEAD

Instead of looking at the magic quadrate or a specific feature, it might be time to consider some more risk-based decisions when it comes to product selection.?I propose we look at it in this way:

Risk>Staffing-Continuity>Technology

First, we should consider the risk of a breach, which means that we would hopefully tabletop the various scenarios of a breach/exfiltration. More importantly assess the damage from that compromise and how it would impact the business from a reputation, financial and business continuity perspective.?

Second, as I have been writing on for months, one of the biggest security holes that should be considered is staffing challenges and industry knowledge around a certain technology. We all can identify with one of the most damaging security events ever, the Solar Winds compromise.??

Solar Winds, allowed an unsupervised intern handle system administration for a critical system that could ultimately link to development code??

I get it, we all struggle to recruit and maintain talent, but seriously I think as security professionals, we collectively should have known better.?Don’t think it’s just Solar Winds either, I am sure many companies make ill informed decisions around staffing. Most organizations are so short staffed on a long- or short-term basis (we all take vacations) that it’s no wonder that after spending millions of dollars on security tools, an advanced organization like Solar Winds was compromised.?

Evaluating a technology shouldn’t be simply a snapshot of who is in the pole position for a particular year. What must be considered is the talent pool, the availability of HIGH-QUALITY TRAINING and the cohesiveness of management. By considering this facet of a purchase, we can avoid losing people or recruiting unqualified people into an organization along with a myriad of underutilized tools.?

I’ve sold many solutions over the years and I can literally count on one hand the amount of training that has been sold along with it. Companies simply don’t have time/staff to send people to be training any longer. Untrained staff leads to misconfiguration which leads to risk.?For a fix to this please reference my article on a new paradigm for the MSP/MSSP.?

Finally, after those two considerations are evaluated, we can consider the technology. Perhaps after weighing those two factors, the pole position leader for a particular year, isn’t quite as exciting. Instead, the steady, methodical company that consistently performs and adds features might be a better choice.?

Don’t get me wrong, there is value to the pole position spot, but only when backed up by years in one of the leadership spots. Everyone appreciates innovation but honestly, most large vendors eventually catch up and add specific functionality that is required.??

WHO’S MINDING THE STORE?

It sounds like all IT managers dream to have an open checkbook for tools and controls to help the entire CIA triad (confidentiality, integrity, availability).?Unfortunately, it’s very difficult to staff a modern IT infrastructure much less a Security Operations Center.?It’s important to find controls that work well together and managed effectively. ?You might just hear “stop buying products we don’t have time to handle another thing!” if these things aren’t also considered.

There are some basic items that every SOC needs to be effective, which includes a ticketing system, SIEM and modern endpoint protection. Threat hunting isn’t a part time skill that everyone has developed. It often takes years of classes and experience to find breaches, especially with the amount of A.I. exploits being developed. It’s important that organizations invest in training and skills development along with developing a good incident response plan, should a breach occur.?With the average cost of a breach in schools at $170k, all organizations need to consider the cost and reputation damage caused by a cyber incident plus the costs.

There are some options to handle the staffing shortage in a typical IT environment.?I often consult with clients on understanding the level of “assistance” they might require.?Certainly, one can outsource their entire SOC to a 3rd party but in addition to the seven figure, three year costs there are some issues with change orders and self-management as, the MSSP would like to ensure all changes are fully documented. No more logging in to make a quick rule change!

The second approach is a hybrid MDR/XDR service and there are now tens, if not hundreds of them.?These give 24/7 eyes on glass but there are sometimes when assistance is needed by the client for remediation and changes as most XDR will utilize telemetry from firewalls, IPS systems, endpoint protection (EPP) and email security but usually only the EPP will be utilized for stopping a breach and isolating the incident. Additionally, the XDR provider will often assist “over the shoulder” in the remediation but typically won’t do the work for the client once containment occurs.?Still, these solutions can be in the low six figure category for a three-year contract which isn’t bad considering the cost of outfitting a modern SOC which can be an upfront cost of 2-400,000 dollars when staffing is considered and that still doesn’t give 24/7 eyes on glass.

No matter what the direction it’s important to consider staffing in addition to the technology when increasing overall organizational security and budget for these costs. With the cost of tools, training and people the hybrid XDR/MDR approach seems like the best option for most organizations.

SECURITY ISN’T A SHORT-TERM PROBLEM

For meaningful long-term deployments, security, it isn’t a snap decision based solely on buzzwords, hot trends and catchy new industry schemes. With the average tenure of the CISO being two years or under, CIO’s and other executives need to take a more active role in product choices, with the understanding that the CISO that is asking for that big budget will likely not be there to see it fully implemented or utilized.

It’s time to educate C level executives on risk and stop talking technology, to better understand the nature of cyber compromise in terms of business continuity and longevity.?

By adopting this approach, I believe that we can finally bridge the gap between the needs of the business in terms of staffing and execution with products that have exciting new features that can fill a needed control.?We’ve all seen technology come and go so it’s no wonder that such a high number of businesses still run their critical systems on the AS/400 and Mainframe environments.?

Not sexy and not certainly in any magic quadrant, the tested AS/400 is what it needs to be: ugly, stable and solid. Perhaps the security community could learn something from this old workhorse.?

Anyone have a ZIP DRIVE I can borrow? That was once the product of the year too!

About the author:?

Eric Marchewitz is a security solutions architect, recovering CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point.?Most recently he is a Field Solutions Architect for CDW Corporation. This article doesn’t not reflect the views of CDW and is for information purposes only and should not be considered professional advice. No warranty of the information contained within is given.

#security #informationsecurity #cybersecurity #riskmanagement