Life for a CISO could be better. Too many today look out over an landscape overrun by poorly-deployed security tools consuming too many scarce resources, and a dynamic between IT and security that is skeptical at best and distrustful at worst.
This longstanding situation comes from a short-term, tactical and project-driven approach to IT security. For years, projects have been designed to deliver a point solution to a particular problem, resulting over time in an overabundance of solutions. Very often, these are only partially deployed or implemented, but each served a purpose once, either as a “tick-in-a-box” on some audit report, or as a pet project for a long-gone CISO.
The IT data resource war
All these security products require data to function, and data that has to be acquired somehow from the underlying IT targets the product is supposed to monitor or protect. Many security products rely on software agents to do so, too, and these are often viewed as alien components by system engineers or third-parties. They require testing, are expensive to operate or manage, compete with other components for systems resources, and are quickly blamed and/or switched off when things go wrong.
Besides the waste of time and money, the cycle does real damage to the relationship between security and IT: once the former starts to be seen as a nuisance (always asking for new things to be done – sometimes in conflict with perceived business requirements), it’s hard to recover ground.
To complicate things even more, everybody needs data (not the same data but data from the same targets). IT people for the ongoing management of the estate, but also compliance to feed their RegTech platforms, and business units to run countless Big Data proofs of concept.
It’s still a fact that agents are a necessary component of to collect quality, comprehensive data. However, deploying (often badly) one new agent for each purpose seems absurd and unsustainable. When it comes to security, agents are becoming a real necessity: agentless products are often too weak to respond to increasingly sophisticated and targeted threats.
Escaping the blame game
The time has come to declutter the security estate, get rid of layer upon layer of poorly deployed security agents, and consolidate on the few that can actually be deployed for real across the whole IT estate.
Looking for a common ground between security and IT should be key, and in fact, many objectives should be easy to agree on:
- The need to map the entire estate and build a specific view for each asset
- The need to address access levels and detect unusual activity
- The need to identify software vulnerabilities and patch them in a timely manner to avoid breaches
- The need to report comprehensively on all of the above
Any organization would be better protected by a product that does 50% of what the security team would like but is deployed on 100% of the IT estate, compared to a product that does 100% of what the Security team would like but is only deployed on 25% of the estate.
Security has to start working with the IT teams, using as much as possible the tools IT are using, and getting out of stupid and useless “them-and-us” type of discussions, simply on the ground of arbitrary and destructive separation of duties.
We are starting to see vendors from the IT operations space – such as 1E, who recently launched their EDR solution Tachyon – starting to react to these needs, developing security functionalities with the needs of IT operations in mind.
On the other hand, rebuilding trust between security and IT will always involve a mutual understanding of each other’s constraints and priorities, and a clear positioning by executive management of security as a fundamental functional requirement.
Security must be seen by technologists – even if it’s not always 100% clear for their business customers – as a key functionality of any IT product or platform. They must understand that security measures such as the monitoring of administrators’ activity and the use of generic accounts are not arbitrary good practices or mere bureaucracy, but something that could save the firm millions in fines in case of a data breach when the EU GDPR comes into force next year.
In return, CISOs and their teams must understand that simplicity, clarity and consistency are key in the communication of their message, that the IT world is no longer “what it used to be”, and that the digital transformation, hybrid delivery models and shadow IT are putting considerable pressure on traditional IT structures.
Together, they have a key practical role to play in educating business units around the real nature of current cyber threats and the absolute need for effective and efficient protection, even where it might be seen as coming in conflict with the imperatives of the digital transformation.