By Nader Baghdadi, General Manager, META, Secureworks
Security teams in the Middle East and around the world often struggle with complexity, and for many this feels like the norm and an everyday challenge. However, this makes it difficult to know when complexity has gone too far. With numerous, overlapping cybersecurity tools extra layers are often added to the stack, making it difficult to manage and monitor. Most security organizations are aware that this complexity may be causing problems, but struggle to assess how and where. The challenge is that there is no objective measure of complexity, but there are several warning signs that will indicate the cybersecurity stack is becoming too complex.
1. You’re Reactive, Not Proactive
Complexity leads to reactivity. If you are constantly wrong-footed by events and incidents, it’s a significant sign you should look to simplify your stack. A key indicator of this is the volume of alerts that your team struggles to process. In this situation, analysts often can’t identify real threats until long after they happen. Things are frequently made worse for analysts by an overabundance of platform management and administrationtasks, as well as the need to learn an often-dizzying array of tools.
2. You Can’t Identify Where All the Budget is Going
If you’re struggling to track where all your budget is spent, that can be a bad sign. In this circumstance, CISOs need to find where the extra budget is assigned. If a CISO is struggling to identify the spend, and the organization is spending much more than previous companies the CISO has worked for, it’s likely there is a complexity issue. As the industry has released new tools to tackle new threats, older tools are forgotten or ignored. It pays to take regular inventory of your environment. Remember that youshould be able to justify return on investment (ROI) for every tool in your stack.
3. Multiple Tools are Doing the Same Thing
Running multiple tools in parallel that do the same thing is another common sign of complexity. Some security teams have four or five programs running vulnerability scans at the same time, for no good reason. One should be enough. In these situations, the programs can generate a lot of noise that negatively impact KPIs for the security teamand leave the CISO thinking they are receiving bad information from the team.
4. Staff Struggles to Master the Tools
Every CISO should have confidence in their analysts, and the tools available to them should enable – not hinder – their success. If your security staff is struggling to master the tools in your stack, this is a strong signal that there may be too many. The team’s time is divided between learning five tools that do similar things, rather than mastering one or two. The goal should be to arm your analysts with a couple of tools they can truly master.
5. You’re Protecting Things That are Already Protected
People worry about the implications of moving to the cloud for security. Is it wise to hand over sensitive data to a third party? The answer is often ‘yes.’ A good indication of this is that cloud providers have been largely unaffected by the major ransomware attacks of the last five years. While no solution is immune from attack, it’s wise to thinkabout your environment and identify areas where you might be duplicating security controls.
6. You’re Spending a Lot of Time Documenting Tools
It’s good practice to document tools so that common operations are repeatable and the security team can learn from their experiences. But there are warning signs to look out for during the documentation process. For example, if the team feels like they are documenting every operation for a tool, that’s a sign something is wrong. It could be that the tool itself is not the right one for you. Or, it could mean something is wrong with the tool configuration. If the team spends a lot of time documenting across all the tools in your stack, it’s probably too complex and the tools may not be user-friendly enough.
7. You’ve Forgotten About Some Legacy Tools
It pays to guard against overlooking legacy systems that are still switched on. If a legacy system is still creating alerts, these can be missed. Worse, if a legacy tool catches an incident, but nobody is reporting on the tool, that incident could go unnoticed.