A common theme that seems to be appearing in my last few podcasts, and even as I read the news headlines is that there needs to be a fundamental shift in the way that CISOs implement their security strategies.  Of course, I realize, that this is huge broad statement, and there is a lot that needs to be changed especially the way people think and react to Cybersecurity.  Meaning, there has to be a sense of strong proactiveness, especially for the SMBs.

But, a subset of this realignment of strategic thinking stems from the fact is that Corporate America is simply bloated down in the actual Security hardware itself.  In other words, companies no matter how large or how small, seem to think that by simply deploying more security tools that this will be the answer to fending off the Cyberattacker.

But this a huge error in the thinking process.  First, not only is a business or corporation simply wasting money on getting expensive equipment that may or may not even be suitable to meeting their requirements, having more equipment simply increases the attack surface for the hacker.

So simply put, the question comes down to this:  Is better to have 10 Firewalls or just have 2 Firewalls?  This is not an easy question to answer, as this will depend a lot upon the security requirements of the organization, and the sort of threat environment that they faced, are experiencing, or are even predicted to have in the future.

At the present time, Corporate America builds their lines of defense on tools, instead of designing and implementing processes to protect the environment and manage risk and then selecting the tool(s) that help facilitate those processes.  In order to validate this hypothesis to a certain degree, Security Magazine (an online portal) launched a small-scale survey in which 200 business were polled:

Here is what they found:

*57.1% are having problems running co called “covert” security tools;

*26.5% are running at least 76+ security tools across their organization;

*7.5% of respondents claimed that they didn’t measure the ROI of security tools at all;

*29.5% gauged the effectiveness of their existing tools via the reduction in overall cyber risk.

So, as one can see, there needs to be some sort of drastic consolidation in place to reduce all of this excess overhead in terms of equipment, for the reasons stated previously. 

In other words, the tools have led the process of strategy formulation and execution, when it should really be the other way around.  This just creates too much “noise” for any IT security team to filter out, in trying to determine what warnings/alerts are for real and which of those are the false positives.

But this issue has been compounded by yet another problem:  Instead of decommissioning old security tools when new ones are brought on board, the old ones still remain in existence with the new ones that have been implemented. 

This has also led to having multiple pieces of equipment that essentially do the same thing.  This overlap also creates yet another security issue:  The legacy systems may not even be interoperable at all with the new pieces of equipment, thus creating even more gaps and weaknesses for an organization.

Why the reason for this overlap?  It is simply scared and panicked thinking, without any long-term vision.  Here is what the survey also found in this instance:

*26.5% of the respondents were simply trying to adhere to new regulations before facing stiff financial penalties;

*20.50% of the respondents were simply acting quickly to fulfill a demand a by the Board of Directors;

*15.50% of the respondents acted out of confusion in this manner because they say a competitor was just recently hit.

In this plethora of equipment, many of the respondents do not even know where their greatest weaknesses and gaps lie at, or even what their particular risk posture is like when compared to others in the same industry. 

But simply reducing legacy reducing tools at random is not the answer.  Rather, the SMB needs to take a holistic view of their overall security strategy, and from there, decide what pieces of equipment need to be taken out.

Here is the recommended approach that should be used, according to people who conducted the survey:

*Each and every security tool must be aligned to a significant risk in the security framework assessment.  In other words, this should drive the need for the tool, not the other way around.

*Each security tool that is in place must reduce risk to the company; you must be able to measure that reduction in risk; and be able to sustain that level of risk. In other words, those tools must have a positive ROI for the company.

My Thoughts on This?

Although this sounds like a daunting task, an SMB can get started with free tools available online in order to gain that holistic view of your security posture. One such tool is available from NIST and can be found easily via a quick Google search. 

Although these tools (especially the one from NIST) will help you to come into compliance as well with the recent rules and regulations (such as that of GDPR), it is important to note that being compliant simply does not mean that you will be 100% secure from a Cyberattack.

Achieving this particular task means that you also need to be proactive about finding any security holes and gaps on a continual basis.  This can only be done by engaging in such exercises as Penetration Testing and Threat Hunting. 

Also, apart from maintaining that proactive mind set I keep talking about, it is also very important for the SMB to have a mindset of logical rationalization as well when it comes to selecting the right security tools for their organization. 

After all, in the end, all of the security systems and tools that are out there have differing levels of risk reductions for the organization. You need to prioritize those that will provide the highest levels of risk reduction and that will also deliver the greatest ROI.  Keep in mind also that whatever tools you deploy, they must also cover your entire Cyberthreat landscape.  Whether it is 10 Firewalls or 2 Firewalls, thy must be able to guarantee the highest levels protection possible, while at the same reducing the amount of false positive alarms that are sent out.