Today’s CISOs have an unenviable task. The cyber threat environment changes constantly, new threats continually emerge, legacy tools get tired, the environment grows ever more complex, and new tools or approaches may promise much but deliver a host of challenges and frustrations. In fact, the reason Gartner’s hype cycle strikes such a chord with CISOs is that they live through it every day.
Amid the turmoil, CISOs must attempt to define a strategic approach to technology investment that will protect the business over the long term. They are operating within parameters relating to their organization’s size, resources, maturity, existing infrastructure, and the specific threat pressures or regulations influencing their sector. For example, organizations looking to consolidate the number of tools in their security stack, reduce the management burden, and retire legacy solutions may opt for a single-vendor platform approach that unites a comprehensive range of solutions and reporting capabilities under one provider. At the other end of the scale, organizations with good internal resources and very specific protection requirements may seek to obtain best-of-breed solutions in a bid to achieve the highest levels of performance and security.
Each approach has advantages and drawbacks. A best-of-breed strategy may offer advanced capabilities but can place a heavy management burden on internal resources, resulting in an excessively complex environment and a lack of overall visibility. On the other hand, while a platform approach may be simpler, the journey to get there can be difficult if the business has many tools to consolidate. Furthermore, no single platform can do everything, meaning there will always be part of the technology stack that must be integrated. However, platform vendors may support integrations on some tools, but are less motivated to do so with competitive tools.
Real-world approaches recognize the value of integration
A recent annual cybersecurity automation research project sponsored by ThreatQuotient and executed by Opinion Matters recently explored how organizations in the US, UK, and Australia are approaching cybersecurity tech deployments. The results showed a generally pragmatic approach with few opting for the extremes of purely single-vendor or purely best-of-breed.
The results show that 67% overall recognize that having solutions that integrate well together is an important aspect of a strong security practice, compared to only one in five organizations that use a pure single-vendor platform and 11% that take a best-of-breed approach but solutions work independently of each other. So, just over one-third use a single-vendor platform approach with third-party integrations only when necessary, and just under one-third use a best-of-breed approach with solutions working (integrating) together.
This indicates that, in general, organizations are seeking to build an ecosystem with breadth and depth, with the right solutions for particular use cases, but with a lighter management burden. Clearly, flexibility and extensibility are critical, allowing tools to integrate easily into that ecosystem.
Therefore, vendors take note! However comprehensive your platform is, you need to make sure it can interface with complementary solution providers as new requirements emerge. Similarly, if you have a best-of-breed solution, you must ensure it integrates seamlessly with other tools.
Continuous learning and knowledge-sharing to inform security investment direction
CISOs who are making decisions on cybersecurity technology investment and pondering a platform versus best-of-breed approach will find no shortage of vendor communications on the subject. But vendors are not the only source of information – and even the most responsible vendor in the world naturally has a degree of bias towards its own solutions.
That’s why it’s crucial to listen to leaders from peer organizations to share experiences and learn how they are addressing the cybersecurity investment challenge. Understanding similar organizations’ experiences of the threat environment and how they are seeing attacks change is a useful foundation for predicting what kinds of technology investments will be needed in the mid-term because, whether we like it or not, attackers are still in the driver’s seat. They are following their own hype cycle of new approaches that emerge, mature, are refined, and grow more effectively – and often it is not until attackers’ cycle reaches the ‘slope of enlightenment’ that vendors really catch up. This reality makes continuous learning and intelligence sharing an important part of the CISO role.
That learning might be achieved through taking part in Information Sharing and Analysis Centers (ISACs). Our research found that 52% of CISOs share threat intelligence through an industry ISAC, which is a good start, but the more organizations that participate in ISACs, the more effective they will become. Indeed, with recent regulations such as NIS2 and DORA having a close focus on threat intelligence sharing, CISOs are likely to find they are expected to build closer relationships with ISACs at both industry and regional levels.
Attending industry webinars or joining online initiatives are also great ways of keeping knowledge up-to-date that don’t require spending days out of the office. Ultimately, any forum that provides an open exchange of ideas and experiences on security strategy and best practices can help CISOs get the knowledge they need to make future-focused decisions on cybersecurity investment strategy.
