Why a bigger security stack is not always better

Padlock symbolizing cybersecurity
Black Friday deals på antivirus (Image credit: pixabay | TheDigitalArtist)

While the turbulent global economy has seen organisations cutting back on many areas of investment, cybersecurity spending continues to grow. IDC estimates that more than $219 billion will be spent on security solutions and services this year, before reaching nearly $300 billion by 2026.

It is encouraging to see that security has earned its place at the top of the business agenda, even as there is heightened pressure to reduce investments across the board.

But how do we reconcile that many of the same firms increasing their security solution stacks are still falling prey to attacks? Cyber(in)security is not a problem money – or “another solution” – alone can solve. Firms must ensure that all their tools are optimized, de-siloed, and working toward the same end goal if they hope to meaningfully move the needle on their cyber risk exposure. Effective vulnerability management means tying the disparate data together to build a unified, focused strategy.

Too many tools makes life more difficult for security teams

After ramping up their spending over the last few years, many organizations are feeling confident they have taken the necessary steps to defend against the biggest cyber threats. Perhaps they have reacted to the attacks hitting their industry counterparts and ensured they have solutions in place to match them. They may even have proactively chosen solutions and services based on recommendations from analysts or consultants.

Recent research shows that security teams are now using, on average, 20 tools to combat cybersecurity threats, with 22 percent using more than 31 tools. On paper, they have all the right components for a solid security stack. But that’s the problem – the tools are also only communicating with each other on paper.

Amid exponentially mounting cyber threats, it may seem like a “strength in numbers” approach is the way to go. But when these tools are not integrated to convey the bigger exposure picture, it creates more work for security teams, not less.

A score or more of disconnected solutions means a massive amount of incoming threat data from different sources, often bogged down with duplicates. From scanning vulnerabilities to code configurations, each tool likely has its own dashboard and alert system, and security teams are left with no clear overview of the threats specific to their attack surface. Prioritization becomes educated guesswork. In 2023, too much disparate data is about as useful as no data at all. By information drought or flood, cybersec teams and the orgs they protect suffer.

Sylvain Cortes

Sylvain Cortes is VP of Strategy at Hackuity.

The consequences of siloed security

This issue is exacerbated by the fact that larger organizations often run distinct teams and processes for dealing with security for different departments. There may be external and internal security and IT teams, as well IT-security adjacent departments such as DevOps, cloud, and web teams. Each of these groups will have its own agenda, with its own distinct tools and processes.

This all means that, across the business, there is little sense of risk as a whole. Vulnerabilities will likely be addressed case-by-case if and when they are identified. Attempts at organising internal and external risk management frequently resort to manual spreadsheets for trackers. And no, Excel-dependent security won’t outwit attackers in 2023. This makes for slow, painstaking work with a high probability for human error. That’s a risky recipe for comprehensive, continuous attack surface management.

Getting sprawling stacks under control with a unified approach

As firms continue to invest in larger and more powerful security stacks, they must also ensure their tools form part of a manageable, cohesive strategy.

All risk data from the various solutions should flow to the same point and be accessible at the same time in the same format. This is best achieved with a vulnerability management platform that can automatically collate vulnerability data and other information from across the entire range of tools.

Even with extensive security stacks including more than 30 solutions, data can be combined into a single stream and aligned with other threat intelligence sources. This means CISOs and risk managers can understand the nature of the risks and vulnerabilities facing their organization at a glance. The ability to easily prioritize activity from a single interface is paramount.

Do the groundwork

Just as security cannot be solved by simply buying more solutions, investing in a vulnerability management platform is not a one-shot fix on its own (to the dismay of some overenthusiastic vendors). First, all security stakeholders across the different teams and departments need to be on the same page. That means a unified vision for security, with a single agreed set of KPIs for vulnerability mitigation.

From here, it becomes possible to see where tools, tasks, and processes are being duplicated across the organisation, and identify redundancies to be trimmed. The remaining tools can then be integrated under a single management platform, and firms can start exploring new ways to automate key processes to adopt even greater efficiency and productivity.

With this new status quo in place, CISOs and other security decision makers will have a clear view of their priorities, ensuring that the most critical, high-risk vulnerabilities are continuously and swiftly addressed. Further, they will be able to make fully informed decisions about future solutions and services according to their specific security context. New additions can then be integrated into this unified approach, ensuring a single point of control even as firms continue to invest in their stacks.

We've featured the best business VPN.

Sylvain Cortes is VP of Strategy at Hackuity. Sylvain is an Identity & Access Management (IAM) and cybersecurity expert. He works mainly with large organisations to execute identity and directories governance projects.