Especially in the current macroeconomic and political climate, security leaders are facing some big decisions about how they use their monetary and people resources to better secure their environments. And, despite that climate driving more threat actor activity, they are being asked to scale back. It’s a paradox that impacts both the security of organizations and the stress levels of the people running them.
For example, as highlighted recently by Joe Tibbetts, Senior Director, Tech Alliances & API at Mimecast, the company’s 2024 State of Email and Collaboration Security Report (PDF) highlights that “on average, organizations dedicate a mere 9% of their IT budget to cybersecurity, a figure significantly lower than the perceived ideal of 12%. This gap has major consequences, with 37% of IT professionals acknowledging their inability to detect and respond to threats with the speed and efficiency demanded by today’s threat landscape.”
So, if you’re a security leader, what do you do? There is a lot of talk about security consolidation, but that is a loaded topic, and often how companies end up with multiples of the same product. Then there is talk of security optimization, the process of evaluating a company’s existing security infrastructure and see how they can achieve more with what they already have, or better arm their people and reduce their stress with what they already have. Both are complex considerations so I spoke to two technical leaders to gather their guidance and opinions on each, in an effort to help those faced with these burdens.
Anton Chuvakin, Security Advisor at Office of the CISO at Google Cloud, has shared a lot of public opinions on consolidation especially, which is why I approached him for this column.
“In theory, consolidation is buying fewer, but more broad, more multi-functional products or platforms from fewer vendors (and hence their increased dominance in the market at the cost of focused, narrower vendors),” he said. “Also in theory, this is supposed to give the organization’s security lower costs, improved efficiency, reduced risk, and better visibility (due to fewer gaps between products). What happens in reality is, well, anybody’s guess.”
Chuvakin shared that this particular paradox is one he has observed time and time again, that the “allure” of consolidation is the promise of simplified operations, but the reality often paints a different picture.
“First, one thing that often happens is that a consolidated tool fails to cover some of the requirements that turn out to be critical,” he said. “The result is that another narrow, focused tool is procured, and consolidation is back.”
There are also many auxiliary reasons where “reality barges in” on the concept of consolidation. Chuvakin also says that vendor lock-in, growing product complexity leading to “shadow IT,” complex pricing, and so on, make maintaining a complex consolidated platform require significant resources and specialized skills, ultimately creating more costs in other areas.
“In theory, ‘buy fewer security tools with broad functions’ is excellent advice’,” he said. “In practice, over the last ~40 years of the security industry history, it has not worked all that well.”
Wim Remes, Operations Manager at Spotit, shares similar thoughts on the hidden costs of consolidation.
“For the sake of brevity I will not delve into the argument that cost isn’t just the dollar amount on the invoice, but it is not. Balance sheets include both liabilities and assets for a reason,” Remes said. “I do not think that consolidation would raise the immediate cost of purchasing products, but I am relatively confident that the cost of operating a security infrastructure and the residual risk will increase over time.”
Remes believes that, aside from budget considerations, one of the larger drivers for the push for security consolidation within an organization is compliance.
“We have dozens of security frameworks and industry regulations that are primarily prescriptive. In essence security is very simple: you filter out the prescriptive words from the frameworks, you Google them and filter out vendors that cover them, you sit through a demo, send a [purchase order], and check the box for compliance,” he said. “We all know this isn’t security but it is the world we live in. With security vendors now touting the platform as the silver bullet, we’re made to believe that the whole lot of checkboxes can now be covered off in one go.”
I asked Chuvakin if he also thinks compliance requirements become an inhibitor in some of the changes that security teams need to make to get more out of what they have? He admitted that was a really tricky question.
“In theory, and sometimes in practice, compliance drives meaningful security improvements. I don’t think any security leader will deny that,” Chuvakin said. “However there are also examples where compliance refocused the money and attention away from a valid threat, which led to auditors being happy, yet the company being ransomwared (and, yes, I have a perennially unfinished blog on this topic, this may motivate me to finish it).
“…perhaps a sailing metaphor works here: just because the wind blows south, does not mean that your boat will go south. If compliance points “south”, yet you have threats SW and NW, it is up to you to steer your boat, i.e. security program, to the threats that matter while being compliant.”
So, then, what about optimization? This isn’t yet as widely used a term as consolidation, but it’s starting to become one given many of the factors I wrote about above.
“Security optimization, for me, consists of two main things: the first is ensuring that the product, capabilities, and features you invest in are well-tuned to your use cases,” Remes said. “The second is to build a capability that allows you to (automatically) consume data from, and interact with, your security infrastructure. The understanding right now is that consolidation automatically means optimization but this decision is not risk-driven. The only KPI measured is the ‘cost of security.’”
Both Chuvakin and Remes agree that the first thing any organization should do is look at your existing tools before buying anything else.
“Can they work? Can you learn a way to apply existing tools to the problem at hand? Can they provide an 80% solution? Is 80% enough?,” Chuvakin said. “As a pun, buying is not cost-free. You are adding complexity, friction, integration requirements, stress and burn-out due to more swivel-chairing, etc. You are also potentially adding risk of something being missed in the seams between the tools. And, yes, some people need a reminder: security is not something you BUY, but something you DO. And this statement will likely remain true for the foreseeable future!”
Remes likens the optimization approach to Simon Wardley’s principles and mapping techniques.
“I look at basically anything as a system that is influenced by the surrounding climate and landscape. If we look at security from a distance, it is largely a data problem. With the data available about our adversaries, our infrastructure, our regulatory landscape, and our risks we need to understand where we can most optimally shore up our defenses to be at least good enough to withstand the most common attacks,” he said. “I believe we need to be more strategic about our security programs and realize that big logos don’t necessarily add to our defenses outright. Only when we understand the data they provide and can use it (in combination with other data) to make components work together do we stand a chance to achieve sufficient defense.”
So, in quick summation, consolidation means potentially buying additional tools to cover the gaps of other tools, and optimization means looking at existing products, the data used by them, as well as outside forces such as adversary behavior, to determine the best path forward.
What about threat-informed defense? A concept that is best known due to MITRE, but has in the last couple of years aggressively been operationalized by a few vendors. In fact, Chuvakin has written a bit about this as a viable approach for organizations looking to assess where they can get value out of what they already have.
“Ultimately, to me, threat-informed defense is the ‘right’ approach to security, with some very notable exceptions of controls that are effective no matter what the threat is,” he said. “Ultimately, we collectively aren’t threat-informed enough. We need more threat modeling, we need more threat intel flowing into control planning, etc.”
Back to the human impact of all of this, Anton states that if you wake up an average security person at 3 a.m. and ask them “hey, what is security about?”, the majority would say threats. But, he asserts, that if you ask the same person at 9 a.m., you’ll likely find this is not actually how they are spending their day – and that’s a challenge.
I also asked Remes about threat-informed defense, and he aligned that to Wardley mapping as well.
“I’ll add an image that illustrates how strategy should be built. In many instances, also outside security, organizations or teams move from Purpose to Execution in one go,” he said. “If I consider threat-informed defense in a wider security strategy, it is not a silver bullet but it can help organizations to understand the climate much better. This ultimately leads to better-built defenses. Threat information is essential.”
So, what is the answer? Like many answers in security: it depends on your organization. But both Chuvakin and Remes pointed out critical considerations that can help security leaders stay compliant while keeping focus on threats, learn important observations to make if looking at tool consolidation to ensure gaps are covered, how Wardley mapping and threat-informed defense might be embraced, and how to ensure all factors of the technology and people environment are factored while making said decisions.
