We regularly hear chief information security officers (CISOs) lament that they have too many tools and solutions that overlap. Although layered security controls are a desirable way of reducing the risk posed to systems and data, if this is done haphazardly it can result in increased user friction and wasted resources.
Sometimes this is caused by product features that were prioritized in the selection process, but never actually made it into production. Other times, budget holders are sold the utopian promise of a single tool that will work across the diverse range of devices, platforms and systems that are typical of enterprise networks today. All too often, employees discover that the security control does not work as expected in production, or may have taken so long to deploy that its cost is more than the value of the assets it intended to protect. Organizations spend much of their budget trying to make these tools work but end up needing to buy compensating controls or start from scratch. Yet another new solution is sought to remedy to issue, with vendors presenting more tools, and the cycle starts again.
At the heart of why this cycle occurs is insufficient security control assessment. Such assessments are crucial for demonstrating that an organization has practiced due diligence by thoroughly evaluating the effectiveness of security controls. Failing to conduct rigorous evaluations could expose senior management to liability in the event of a data breach and makes it more difficult to identify gaps in an organization’s security posture. Any assessment of a security control needs to be done in the context of the organization’s existing controls. If the scope of an assessment is too narrow or performed without knowledge of the other controls, the recommendations risk missing efficiencies or underlying issues that a comprehensive review would spot. For example, an evaluation of the security controls protecting an e-commerce system shouldn’t just focus on patching and access control, but also assess any third-party services and whether the controls guard against supply chain attacks, such as if the third party is compromised by web-skimming malware.
Often the task of evaluating the effectiveness of security controls is inadequately split between several security roles:
- Auditors are critical for understanding if a security policy meets legal and regulatory requirements, but they usually don’t focus on the efficiency of the deployed solutions.
- Administrators have the challenging job of keeping existing systems working and have immense insight into how they are used but are usually siloed into work tasks to enforce a separation of duties.
- Security operations center (SOC) personnel stop attacks in motion and report lessons learned after remediating incidents. However, the scope of this feedback is limited to the controls affected by an incident.
- Assessors, such as penetration testers and red teams, are skilled at uncovering flaws in systems and applications, but the scope of their assessments and recommendations are usually narrow.
- Even purple teams, while excellent for coordinating offensive and defensive efforts, may lack the information to identify unnecessary overlaps in an organization’s security posture.
Each of these roles plays an essential part in designing, maintaining and testing an organization’s security stance, but aren’t necessarily best placed to optimize it.
So how do we break free from the cycle of tool churn? First, CISOs should recognize the importance of security control assessments and the potential benefits of reduced costs and complexity while maintaining the same level of security. With this in mind, we recommend CISOs establish a distinct role dedicated to security control assessments so that the position isn’t burdened with day-to-day functional security tasks. Where this isn’t possible, consider broadening the scope of the team that currently performs security control assessments beyond measuring security value and cost, for example by considering the impact on user experience and how easy or difficult it is to maintain a control.
Second, give the assessment team access to the organization’s security policies, procedures and incident reports so that their recommendations consider the whole security posture. This should include an inventory of all the deployed security controls, whether technical, administrative or physical. Third, as well as technical security experience, CISOs should use personnel who have experience in risk analysis, user experience and project management.
Above all, the personnel performing the assessments should be encouraged to adopt the mindset of security solution optimizers or cybersecurity inspectors, similar to the role of building inspectors in the physical world.
Figure 1 – Attributes of the Cybersecurity Inspector role.
The cybersecurity inspector looks at the components of a security posture, understands how they are being used, or misused, and then verifies each component is being used to its potential. Just like a real building inspector, they would look at the actual deployment, understand what was intended, and the gaps between the two situations. And just as a building inspector would know if a power panel was no longer in production, and therefore needed to be replaced, a cybersecurity inspector would know that a tool is no longer supported, thus obsolete in their deployment, and therefore must be replaced.
The biggest impact a building inspector can have on a construction project is to find a weakness in a building’s foundation that would deem it structurally unsafe. The strongest walls and roof on a cracked foundation are vulnerable. Similarly, the cybersecurity inspector would be keeping an eye out for warning signs, uncovering foundational issues that could make an entire deployment vulnerable, no matter how many tools are added.
Many IT systems and cybersecurity tools are misconfigured. A 2020 study by Accurics found misconfigurations in 93% of cloud storage deployments, potentially exposing data to the risk of being breached. It’s the job of the cybersecurity inspector to examine a cloud deployment for design and implementation flaws, be able to understand potential security issues to be addressed, and review the billing to optimize the deployment to reduce costs—just as if a building inspector were to find a cracked basement they would suggest options to fix it based on time, cost and effectiveness.
A cybersecurity inspector looks at the existing tools, reviews the expected benefit of each security control, and identifies overlap and redundancy. For example, they would recognize that turning on an existing feature in an already deployed product in the network is much easier and cheaper than trying to add a new product and integrating it into the current security stack. The goal is to streamline a security posture by reducing the number of tools while still protecting assets to an acceptable level of risk. If your new cloud environment has a built-in password reset tool, do you need to maintain your older existing tool, or can you retire it and simplify your operation?
As security professionals, we can all learn from building inspectors by adopting the cybersecurity inspector mindset. Networks continue to grow in complexity, and the process of securing assets is an ever-growing and evolving challenge. Optimizing an organization’s security stance requires a holistic approach—a difficult, but worthy ambition.
This article was contributed by Stuart Phillips, Global Cybersecurity Practice Lead at HP.