Do you have a security tools gap?

CISOs have voiced concerns about a possible gap between the tools they need to protect their enterprise vs. the tools they actually have in place.

A 2020 survey of 300-plus security professionals from security software maker LogRhythm found that 93% said they lack the needed tools to detect known threats and 92% said they lacked the appropriate preventative solutions to close gaps in security.

A 2019 report from AttackIQ and the Ponemon Institute uncovered similar concerns about enterprise security tools: 53% of the 577 IT and IT security professionals surveyed said they don’t know how well their security tools are working and more than half said they’re not getting full value from their security investments.

Those statistics don’t tell the full story, however, according to several security experts. They agree that some CISOs may indeed lack enough tools to adequately secure their organizations, but they stress that the real issue isn’t about having too few technologies to do the job. Rather, they say that such surveys are actually indicative of a larger, more complex problem where CISOs face a security gap due to having the wrong set of tools for their own organization’s risk profile and its risk appetite.

Finding your gap

“We certainly have enough tools to do the job; we have plenty of tools. So the question isn’t do we have enough tools, but are they configured properly? And are they monitored by intelligent eyes that can perceive something from the myriad data points? That’s far more important than the number of tools,” says Curt Dalton, managing director and global leader of the security and privacy practice at management consulting firm Protiviti.

Curt Dalton, managing director and global leader of the security and privacy practice at Protiviti

Dalton says some security teams have a variety of tools that perform the same task, while others have technologies they never implemented. And some teams have security products they implemented but never trained their staff to use. Those scenarios, he adds, are much more likely than—yet just as detrimental as—one in which the security team doesn’t have enough technology on hand.

But Dalton and others say CISOs in those organizations may assess their security tools and conclude that their portfolio of technologies is lacking, which leads to reports about a security tools gap. And, experts say, those CISOs would be right in many cases to express concerns because at the end of the day they’re working with tools that don’t match their needs and thus creating that security gap.

“To that degree, yes, there’s a tools gap,” adds Kory Patrick, risk and security practice leader for IT service management company TEKsystems. “But it’s not always a gap in having the tools, it’s often a gap in strategy. There are some organizations that are seriously devoid of having the right tools, but it’s more often that they don’t have the right strategy; it’s about understanding what you need and what you have, aligning it to your strategy and maximizing its value.”

Out of balance

CISOs end up with the wrong collection of tools for one or more typical reasons, according to researchers and management advisors.

Some security departments don’t properly configure solutions, or they don’t invest in properly training staff to use deployed solutions to their fullest potential.

Consider the anecdote shared by cybersecurity consultant and vCISO Gina Yacone. She worked with a company that implemented a security incident and event management (SIEM) solution but only fed it logs from a limited number of sources, thereby cutting down on the effectiveness of that tool and leading the team to believe that they had inadequate tools for their needs.

Yacone also worked with an organization that invested in a technology with multiple capabilities, including an antivirus function, but opted to run a separate antivirus because one staffer preferred using the older standalone antivirus. “Running both [antivirus capabilities] added noise and it cost more money and took up more resources,” says Yacone, a member of Women in Cybersecurity (WiCyS).

Kory Patrick, risk and security practice leader, TEKsystems

Meanwhile, some CISOs don’t know what they have (which itself is caused by various factors). Patrick says he worked with one client CISO who discovered his organization had 500,000 user licenses for a security tool that had sat unused for two years.

Security ends up with the wrong tools because CISOs and their teams are still sometimes seduced by the promise of something new and shiny.

“Many of these technologies are a result of, ‘Let’s go and get something to help us comply with X, Y, and Z,” says Sam Olyaei, a director at Gartner Research, where he is a part of the risk and security management group.

Sam Olyaei, director at Gartner Research

And often CISOs end up with the wrong tools and/or inadequate tools, Olyaei says, because they’re not being strategic enough; they’re not devising a strategy first and then selecting the tools—as well as the people and processes—to support it.

“A lot of CISOs go back to tools and technologies to solve a problem, when in reality they need to hire an additional individual to solve the problem or they need to mature a particular process to solve the problem,” Olyaei explains.

He adds: “I also want to be clear: You can’t get anywhere without technology; technology is required. But you need the right balance. It all comes back to making sure you have the people, process and technology all working together properly.”

Review and revise

Sushila Nair, CISO of NTT DATA Services, says she, too, has seen security teams accumulate tools that don’t quite fit the organization’s needs—either the tools never quite aligned with enterprise risk or because they once did but no longer do. Yet security teams often hold onto all those tools, which drains resources away from investments in devising and implementing a strategy that rests on having the right number of the right tools with staff properly trained on them.

Sushila Nair, CISO, NTT DATA Services

Moreover, Nair says that she, like all CISOs, must commit to reviewing and revising their tools regularly, as new options come to market and as organizational risks change.

Nair says her company, like so many others, shifted to more virtual work and digital engagements due to the COVID-19 pandemic and thus saw a corresponding change in its risk landscape. Nair says that change prompted her to reassess her security tools to determine which still aligned with the company’s new risk profile, which ones should be retired and which new ones were needed to fulfill new needs.

“With the pandemic, we all have a different risk landscape, and our tools are supposed to be aligned with our risk, so organizations do have to look at their toolsets and ask if they need to go shopping for more,” Nair says. “Theoretically any major change is a reason to do that assessment; a change that should trigger doing a risk assessment.”

Closing the gap

Regardless of how and why it came to be, a tools gap has significant implications for enterprise security. It creates inefficiencies and ineffectiveness. It drives up cost and complexity. It draws resources away from advancing strategic objectives and maturing processes, both of which help to better secure the enterprise. And it limits opportunities, such as adding automation to improve one’s security posture; as Patrick points out, a security team that doesn’t have a good handle on its tools will find it difficult to know which ones are good candidates for automation.

Many CISOs are now working to get a better inventory by assessing the tools they have, prompted in part by COVID-related changes in their enterprise, Olyaei says. Gartner surveys show that about 25% of CISOs are working on tool consolidation and vendor harmonization now, while some 60% are planning to undertake that work in 2021.

“They’re going through the tools and figuring out where the overlap is and where they’re used or not used properly,” he says.

Security leaders offer some advice to close any gap that exists between the tools currently deployed and the ones actually needed to effectively and efficiently secure the enterprise:

Start with an assessment of existing tools and their capabilities, including security tools embedded within cloud technologies. “[Cloud vendors] are building out some very robust tools within their environments; they’re a value-add that’s included, and organizations should look at leveraging those tools whenever they can,” Patrick says.

Then make sure the security strategy determines which tools and technologies are needed. “If you have a mature risk-based security program, you don’t let technology drive it,” Olyaei says. “You define the risk and the needed controls and then you define the technologies, processes, and talent you need.”