Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

At Odds: The Promise vs. Operational Reality of Security Solutions

There’s a gap between the promise of a security technology and operational reality

There’s a gap between the promise of a security technology and operational reality

By now you’ve probably spent at least a few minutes watching “What I thought I was getting vs. what I actually got” videos. There’s the pet edition, the mature husband edition, even a personal edition – “How I thought I looked vs. how I actually looked.” You get the picture.

A similar phenomenon has been happening in the security industry for years – there is great promise in a new product or technology; however, the operational reality is much different. Think back to the early days and Intrusion Prevention Systems (IPSes). Companies released IPSes that you could plug and play on your network and the device would block what it thought was bad. Sounds great right? Well, the operational reality is that it blocked things it should not have, resulting in many false positives. And when the security team was asked “why was that blocked?,” they couldn’t get an answer as the IPS device was a ‘black box.’

Clearly, there’s a gap between the promise of a security technology and operational reality. Let’s take two more recent examples: Security Orchestration, Automation and Response (SOAR) platforms and tools and Extended Detection and Response (XDR) solutions.

Cybersecurity ToolsSOAR has been growing in popularity over the past several years; however, it too presents a disconnect between promise and operational reality. The promise is that automating processes can help you save time and resources and accelerate response. But the operational reality is that you need to have defined processes tailored for your environment. It isn’t plug and play. And, more importantly, you need to make sure you determine the right criteria and triggers for the process. Without first aggregating, scoring and prioritizing intelligence – steps which can and must also be automated – you’re creating a situation of bad data in, bad data out. The result? Amplified noise that plagues security operations, wasting precious resources and hampering security. The operational reality is that you need the right inputs to focus on what really matters to your organization and the right processes to take the right actions, faster.

The latest market discussion gaining traction is XDR. ESG defines XDR as, “An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.” Organizations are attracted to the approach because one of the promises of XDR is vendor consolidation. Wouldn’t it be great if you could get a single solution with multiple enforcement points from a single vendor that leverages the benefits of the cloud and is pre-integrated? Then you could work with a single vendor (or a very few number) vs. the dozens of products currently deployed.

But therein lies the problem. The operational reality is that no organization is starting with a clean slate. On average, organizations are using more than 45 different security tools and the appetite to rip and replace is low. What’s more, different departments with different budgets and teams are using different solutions. Invariably, some will decide to stick with their best-of-breed solution that can’t be matched in capabilities by a single vendor offering a consolidated solution. And time will tell if XDR solution providers will be able to maintain the level of innovation of best-in-class solution providers who focus their resources to address specific use cases, new types of threats and emerging threat vectors. There’s also the issue of dealing with on-premises tools that you still need to use, at least in the short term before you transition fully to the cloud. Organizations will be able to reduce the number of tools to maybe a dozen or so, but they still won’t interoperate.

So, how can we bridge the gap between promise and operational reality? As you determine what security technologies to invest in, develop not only a technology roadmap, but also include and align an operational roadmap. If not, you’ll limit the value of any technology investment in the short term, and potentially hamper longer-term adoption and momentum. Look beyond the promise of what is being sold to you and make your decision grounded in your operations and the realities that will occur. For example, vendor consolidation is a great goal, but what’s the path that will work for your organization? Is rip and replace the way to move forward or is a transition over time better for you, and what’s needed at what time to support your approach? 

“What I thought I was getting vs. what I actually got” videos are entertaining. But when it comes to security, the humor gets lost. We must and can bridge that gap. 

Advertisement. Scroll to continue reading.
Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...