The budget of the CISO (chief information security officer) has consistently grown over the years, generally in line with perception of risk and the cost of controls. However, we are now at an inflection point where the proliferation (and associated costs) of a wide range of protective services/systems meets with the current macroeconomic climate. Today’s IT security leader have the difficult job of balancing the security level to the threat situation while also reducing costs and effort, says Marc Lueck, CISO EMEA Zscaler.
This evolving risk situation cannot be solved by spending more on new security tools, but better efficiency in extracting the value they represent. Instead of choosing “best in class” security solutions, it is time to adopt “best in suite” strategies that counter risk with an integrated approach. This means selecting a solution based on the outcomes it supports, rather than desired features alone.
Moving away from functionality in favour of outcomes
The traditional approach to choosing “best in class” solutions for each security problem leads to two major challenges: escalating costs and operational inefficiency in the security infrastructure. This is because each solution requires a separate purchase and administration, resulting in complex and cumbersome security architecture. In addition, when technology purchases are based on a set of known control requirements, the “edge cases” and additional immediate or future value are not assessed.
This situation stems from the way decision-makers select a solution. Rather than explore new possibilities, they focus on the technology that needs to be replaced when updating security infrastructure. In doing so, they limit themselves to the existing functionality and features, without thinking outside the box. They see the incoming technology through the lens of the old one.
Such a narrow focus on familiar solutions prevents decision makers from noticing and assessing new solutions outside of their comfort zone. It also prevents them from fulfilling the management’s expectation of achieving more security with less effort and costs. To counter this, IT security managers must start basing their approach on the desired outcomes in security and the business objectives, not just on the success that a product has in meeting documented goals.
Zero Trust: Integrating security
CISOs should focus on the desired outcome of a solution, rather than on preventing specific threats such as ransomware. They should understand how these threats succeed and stop them at source. Ransomware, for example, is a profitable business model because it can spread laterally within an infected IT system and target critical systems to steal or encrypt data. Since companies cannot eliminate all attacks, they should aim to prevent attackers moving across the network infrastructure to capture data. A modern tool in this area must therefore be able to assist in the blocking of threat actors’ lateral movements in the network environment.
To prevent implicit trusted access to network infrastructures, leaders really need to adopt a broader perspective. With hybrid working models now regular practice, it is important to secure the direct access of each user to their required applications, instead of securing access of those same users to “the network”, and then relying on the applications themselves to enforce access policy and security. A security service edge (SSE) approach helps ensure such security through the Zero Trust model.
A zero trust platform determines and monitors the access of each user to their required application or web service, based on their role and predefined by the organisation. This security is applied inline to the connection, whether the application is stored in the cloud or in the corporate network, and the principle of least privileged access is enforced centrally, ensuring that granular access at the level of the individual application replaces network access.
Because of the focus on per-session, inline connection brokering, this SSE model can also be used for cloud access security broker (CASB) or data loss prevention (DLP) security requirements as well. The focus is on policy-based access rights, whether for access to permitted applications, web services or even at a level of individual documents. Moreover, a zero trust-based approach can be used for user, device or workload access permissions in digitised environments. Instead of many different technologies that are not connected, a suite or platform with highly integrated functions steps in.
In essence, a Zero Trust platform will increase visibility into the security posture, define granular security policies, prevent lateral movement of attackers, and reduce the attack surface all with one tool and the architecture it uses to deliver security outcomes.
Steps to outcome-oriented security
To improve and modernise security, CISO‘s need to shift from security as a set of technical capabilities to a strategic, outcome-orientated mindset. Here are some steps to help achieve greater security more effectively and efficiently:
- Assess your existing security
The first step is to embrace the need for security modernisation. Even in a challenging economic environment, CISOs cannot afford to be afraid of change. It is important to communicate the business case for how a transformation can benefit your bottom line as well as security. To ensure the transition to a new security is cost-neutral, leaders should identify and eliminate any waste and redundancy in your existing infrastructure.
Ask the question: what technologies do we have to meet our security and business goals? This requires an inventory of all security solutions and their capabilities. Leaders should consider the security frameworks in place too, as they can help to achieve desired outcomes. With outcomes defined, CISOs can then use them as criteria to inform board-level decisions on how to manage risk.
- Identify efficiency losses
A thorough analysis of the security technologies in use can reveal areas of overlap and redundancy. These can create inefficiencies by increasing the administrative workload and costs. To consolidate the infrastructure and optimise the security performance, these redundancies need to be identified and eliminated. This is often the most effective way to achieve cost savings for companies.
In the past, duplication has arisen from the fact that security technologies have been introduced incrementally as requirements arise. Over time, this leads to a cost trap as a wide variety of systems require administration and maintenance. A best-in-suite approach is able to eliminate these inefficiencies by combining greater functionality while reducing administrative overhead. This enables leaders to phase out legacy systems whose configuration and continuous upgrades are time-consuming to support manually.
- Define desired results
To initiate a security change, it is important to have a holistic perspective that goes beyond individual technologies. At the same time, it is also important to consider how consolidation can support the digitisation needs of a company. What, exactly, are the security requirements for digitised production environments, web services, or new communication standards like 5G? These requirements should be included in the definition of the desired outcomes.
An outcomes-oriented approach to security can help companies involve the entire business operations. Instead of focusing on the technologies that need to be replaced, they can leverage security as a business advantage. Security must be positioned to the Board as a business advantage: not only as a way of preventing losses from an attack, but as a path to safely digitising more areas of business. A security platform approach that follows best-in suite forms the foundation of this.
- Be ready to score on unasked-for capabilities
The classic “RFP” purchasing mechanism is powerful and has helped for many years to ensure the right cost point and prevent bad purchasing decisions, but it’s strict focus on the “known needs” prevents suite-based purchases from being able to shine. Try to ensure that any RFP (request for proposal) process has some flexibility built in to formally score and/or assign value to capabilities that are outside the strict set of functional requirements.
The future lens
With a clear vision of what they want to achieve with a security approach, companies can save costs and transform their business models at the same time. Pursuing cost-neutrality of security with a clear consolidation of existing hardware will not only quickly make a company better off, but it will empower it to embrace a digital future.
The author is Marc Lueck, CISO EMEA Zscaler.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow