04 May Cybersecurity Leaders Are Bananas Over Point Products
Too many vendors can drive a CISO crazy
Boston, Mass. – May 4, 2022
This year, Gartner has started to double-down on much of its Cybersecurity Mesh research. Two of the core pillars of the Mesh are strongly related: vendor /stack consolidation and composability. These are largely the result of security operations and IT teams having to manage so many disparate solutions, while needing to streamline operations and deal with a growing, more distributed set of assets. The question often asked is, “Do I have the right tools to fill the right holes, and can I manage them in concert with one another?”
Moreover, CIOs and IT managers are under the gun to prove the value of their investments and to consider trade-offs to free up resources for new efforts. This often leads to the discussion, “Where can I cut before I put myself at risk?”
Cybersecurity teams can benefit from evaluating their cybersecurity stack and selectively consolidating technologies, but only if they do so with care. Consolidation can increase efficiency, save time, and even improve security outcomes. Centralizing spend with a vendor might come about by choice or be driven by external market activity. Either way, security leaders should ensure that security stack optimization efforts preserve their defense in depth strategies, while also continuing to serve the unique needs of their environment, team, and threat context.
Gartner notes that 78 percent of companies have 20 or more security products, which requires managing dozens of different vendors. Often, organizations struggle to connect these systems together effectively. Selecting solutions designed for composability can allow for a “best of breed” approach, with individual controls working together. Alternatively, reducing the number of different vendors can lead to better integrations of security controls, can save time, and can save money through bundled purchases, assuming the consolidated vendor ties their various controls together effectively.
Here are a couple key concepts to keep in mind when preparing to review and optimize your security stack:
Preserve Defense in Depth
Indulge me in a brief example from outside security. Bananas are my go-to snack before a workout — easy to digest and full of energy and potassium. Sadly, the Cavendish banana that we know and love today is likely going to be wiped out by a crop disease called Tropical Race 4. Cavendish bananas are essentially a monoculture, a single plant type with minimal genetic variety. With a monoculture, a disease that impacts one farm can spread rapidly and with little resistance. This already happened to bananas in the 1950s, when the previously banana monoculture, the Gros Michel, was devastated by a prior version of this same disease.
Monocultures are also a risk in cybersecurity. The more an organization relies on one control or on one vendor, the greater the risk is if that vendor themself is compromised. Additionally, the broader audience of most consolidated security companies raises the number of potential victims if the consolidated vendor is compromised.
Two examples highlight these risks:
SolarWinds CEO Sudhakar Ramakrishna estimated that roughly 18,000 customers were compromised by their 2020 hack. SolarWinds’ technology was so common that hacking just one company gave attackers the ability to undermine the security of a vast number of further targets. Furthermore, aside from the initial intrusion, the patches offered by SolarWinds were inherently compromised.
Secondly, the recent Okta compromise revealed the potential for broad impact, while also highlighting the harm when defense in depth strategies are not applied in full. Multi-factor authentication (MFA) is a key security practice, providing a barrier to identity-based attacks. However, organizations must consider that MFA products and their vendors could be compromised when building MFA into a defense-in-depth strategy. Architectures that plan for failures like this are resilient to threats that leverage an attack on the authentication system, while those that rely solely on the availability and integrity of Single Sign-On and MFA solutions from one vendor introduce a potential single point of failure; BastonZero’s CEO Sharon Goldberg clearly explains this risk in her discussion of the Okta compromise.
These incidents don’t change the huge value in widely used security tools, including those consolidated under one vendor, just as the Okta compromise doesn’t take away from the general positive value of MFA. However, these examples highlight the importance of validating how the layers of your security stack work together, ideally with real-world threats in a safe setting. They also underscore the importance of evaluating the potential impact if a technology or vendor that your security stack relies on is itself compromised.
Ensure The Consolidated Solutions Work For Your Organization
Your environment is not the same as mine. That is a good thing. Your business has its own needs and more variety increases the challenge for attackers (the opposite of a monoculture). However, the unique architecture that each organization has means that not all solutions are suitable. That is one reason why there are so many cybersecurity vendors. Different approaches to the same problem work better depending on the size of the organization, its systems, the threats it faces, and the skillsets of its team, just to name a few factors.
When thinking about moving one of your security controls to that of a vendor you’re already using for other controls, there are several things to consider. First, security leaders should weigh the benefits of potential cost and time savings against the relative effectiveness of that potential new solution. You can do so by testing how well the control works for your specific environment and whether the control integrates effectively both with the rest of your stack and with tools by the consolidating vendor. It is also important to test the tool’s performance impact on your workloads and employees, as well as its visibility to the threats that are relevant to your market. This way, you give the greatest chance that you will maximize the effectiveness of your security spend and offer the highest protection to your organization.
As organizations start to adopt a Cybersecurity Mesh architecture, it is critical to select a set of security controls that are strong independently and that interact effectively. In this effort, vendor consolidation is strongly worth considering for the cost and efficiency impact. By keeping in mind the impact on defense in depth and specific value of each solution to your particular environment, you can ensure you get the greatest benefit while simultaneously moving towards a more dynamic and effective security strategy.
About the Author
– David Berliner is the Director of Security Strategy for SimSpace where he explores cybersecurity market trends, thought leadership, company positioning and competitive analysis. Prior to SimSpace, he served as Director of Product and conducted research on cybersecurity trends at Cybereason. David holds a Bachelor of Arts from Brown University and an MBA from the Kellogg School of Management at Northwestern.
SimSpace delivers the most comprehensive cybersecurity risk management platform, instilling confidence in an organization’s cybersecurity talent and technologies. With SimSpace, security teams, operational processes, and environments are continuously tested, readily available, and optimally tuned to defend against advanced adversaries. SimSpace: Stand with Confidence. For more information, visit simspace.com.