More Cyber Security Tools Can Increase Cost, Increase Complexity, and Reduce an Organization’s Ability to be Effective
I recently had an occasion to go through my father’s workbench at his home, where he’s been collecting tools and doing fixing, building, and God knows what else for the past 25+ years. There were drawers, cabinets, hanging things, and boxes everywhere. As we went through his various tools we talked about what each thing does, when he got it, and why it was critical to something he once worked on.
My dad’s workbench had no less than 10 different kinds (not types) of screwdrivers that essentially were meant for the same function. He had ultra-long, long, mid-length, short, and stubby flathead screwdrivers – each geared for a specific task, but ultimately with significant overlap. He had about two dozen tools that were used once, probably, for some specific job and he never picked up again.
This got me thinking about my own profession, and some of the absolutely bonkers things I’ve heard lately in terms of the number of tools an organization has at their disposal for cyber security things. I think the biggest number I heard was somewhere around 175 cyber security tools in an enterprise. That makes me think of my dad’s workbench – where about half the tools overlap, and the other half served a purpose once, or twice, and likely never were used again and yet they sit there and take up space just in case.
I bet you have a significant number of cyber security tools in your organization. I also bet you have things that overlap in their purpose, but are ever so slightly different in their feature set that you keep them all around.
In March 2016, Stephan Chenette was quoted as saying:
“With an average of 75 security tools in play, redundancy exists. “Many organizations are hiring security experts to manage redundant products and manage alerts that don’t mean anything.”
Stephan’s “Hope is not a strategy” outlook mirrors mine, so I’ve been digging into this troublesome trend of tools explosion.
Another shining example of this trend continuing is here, from 2019:
“As we look at things, small organizations are using on average between 15 and 20 tools, medium-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average. This is just massive!” — Matt Chiodi, Palo Alto Networks
As I thought about the types of business drivers that fuel decision makers, three themes were common across all organizations – SMB, to mid-market, to enterprise. These three are manage cost of doing business, decrease overall complexity, and increase effectiveness. That sounds pretty simple, right?
Here’s the problem I believe cyber security, and more broadly IT, needs to keep close to front-of-mind. As we continue to bring in more tools into cyber security toolboxes, we rarely, if ever, retire anything. It seems like everything we bring in is just an add-on. I’ve been talking about this for years, and I know many of you already think this way because I’ve been asked on consultations, “If you think I need tool X, what things is this going to replace in my environment?”. That’s absolutely the right question to ask, but we’re not asking it enough or learning to say no when the answer is “nothing”.
More tools increase your cost, increase overall complexity, and eventually decrease your organization’s ability to be effective. I’m pretty sure you’re thinking I’m slightly off my rocker in that last one, but I’ll explain myself later.
So, there you have it – my philosophy on improving the state of cyber security, with our three big audacious goals in mind as we careen ahead into 2020 and beyond. I’ll write up a post on each of my business drivers (mentioned above), and then provide some ideas where I think there is innovation or at least more options.
Related: Are Overlapping Security Tools Adversely Impacting Your Security Posture?
Related: The Accountability Gap – Getting Business to Understand Security