In one of the webinars that I transcribed for a client, there was some talk about perhaps Corporate America, in its efforts to greatly improve the levels of security, are probably deploying too much technology.
For example, ABC Corporation may have two files at it’s network perimeter. But in effort to combat any looming threats, they decide to multiply that to have four firewalls.
The common thinking here is that, the more you throw out there, the more secure you will be. But, this is far from the truth. By deploying more firewalls, the ABC Corporation is actually exposing itself to a much greater level of risk and potential hacks by a Cyber attacker.
The reason is quite simple: You are actually increasing (or actually widening) the attack surface. Rather than going just after two firewalls, the Cyber attacker can now go after four of them, and thus has a much greater statistical probability of breaking (probably better than 50% – because more than likely, the same settings, configurations, and default passwords will have been used for all four routers).
Rather than taking the time to assess the Cyber threat landscape that is unique to them, the ABC Corporation has taken the so called knee jerk reaction to what is think that is happening to them. In fact, this is a trend that is occurring today across most business and corporations.
So, this brings up the next question: Are we spending the corporate money in the right way? Are we spending too much on too little? Are we getting a quick enough Return On Investment (ROI) on the tools that we have deployed across both the IT and the Network Infrastructure?
These questions are now being asked and attempted at being answered because the C-Suite is now being held accountable for their Cyber security actions by their respective Board of Directors.
In fact, even the CEO of one of the largest Virtualization Providers, VMware, Pat Gelsinger, even stated publicly that Corporate America needs to do more with much less. In his own words: “start getting rid of products.” (SOURCE: https://www.businessinsider.in/VMwares-CEO-has-a-vision-that-should-terrify-the-security-industry-Start-getting-rid-of-products/articleshow/66141671.cms).
His new mantra: Start using fewer security products, and rely more on products that already have security baked into them. Not too sure what is meant here – don’t security products already have some sort layers built into them? Or does he just mean spend the money on those technologies that your organization truly needs? I’m kind of scratching my head on this one.
He even said that back in 2016, VMware used well over 30 different security products to beef up their lines of defense. Now, they have cut that down by half, by using about 15. He claims that the company is now made more secure, because of the decreased reliance upon third party vendors.
Their new solution: Implement their own Encryption Protocols into the existing products that they have. In other words, they are simply building a better mousetrap, but rather than selling it, it is being custom designed for their own security requirements.
Of course, for the long term, this does spell bad news for the other security vendors offer these kinds of solutions, because they will face decreased sales. In fact, the typical Fortune 500 business has 75 unique security products, all of them supplied from different vendors (which of course, this greatly increases the chances of third party risk).
In fact, even one bank uses 250 different vendors. Wow. Now, that is a bit excessive in my opinion.
My thoughts on this?
It is important to keep in mind that A highly complex and complicated security infrastructure can slow down the detection of Cyber based attacks and makes it that much easier for the Cyber attacker to find and exploit any software vulnerabilities and weaknesses.
The C-Suite needs to fast get away from the thinking that a simpler security model is easier for the Cyber attacker to penetrate through. In fact, it is quite the opposite. Having less tools (but making sure that they are doing their jobs at the optimal levels) actually decreases the attack surface.
You don’t need all the fancy gizmos and the bells/whistles that come with them.
In fact, having a simpler security model will also mean that you can implement a software patch and update policy that can be pushed through rather quickly, perhaps even within hours, and the days that it currently takes.
According to Pat Gelsinger, rely upon homegrown tools for enhancing your current level of security. In other words, he highly favors making use of the various Encryption Protocols that are out there (as mentioned previously). In fact, this is my mantra as well. Keep it simple and easy for you to understand, but complex enough for the Cyber attacker not to understand.
And, this is where Encryption can come in very handy. My other piece of advise is also, before the C-Suite decides on acquiring on new security technologies, they should first authorize an exhaustive Penetration Test in their organization.
By doing this, they will know exactly where all security weaknesses and vulnerabilities lie at, and from there, they can make the best decisions as to which security technologies will work best for their environment.
Really in a way, this is like diagnosing somebody who has potential heart disease. You just simply wouldn’t cut their chest open and do bypass surgery, right? A doctor would first conduct an angiogram to see what is exactly wrong with that patient’s heart, and from there, go ahead with the right course of action using the right tools.
So the C-Suite, perhaps adopt this analogy into your mindset. It might just actually work in the end.