Cybersecurity teams are awash in tools and security alerts. This leaves security professionals with a wealth of data and alerts about the latest threats, vulnerabilities, and potential gaps in their coverage. There are so many security tools in place today that there’s a risk that security teams rely too much on their toolsets and not enough on their cybersecurity strategy.
“I can remember 30 years ago trying to convince companies in the private sector that they need to have a strategic approach to security and how to make the organization secure,” says Mayuresh Ektare, SVP of product management at Brinqa. “Of course, 30 years ago, the big argument was that you need to have a firewall if you're going to plug into this backbone called the Internet,” Ektare says.
It was a mistake then, and it’s a mistake now, contends Ektare, to place the initial focus on security tools and not the appropriate security processes. “Since day one, there's been a challenge in trying to get organizations to approach things strategically. They tended to look toward the tools [first],” he says.
It’s a backward mindset, contends Ektare. He compares the security tools first mindset to other enterprise disciplines, such as CRM. No organization would sensibly consider buying a CRM without first considering its CRM processes and objectives. Without deploying the CRM, no one would sensibly consider building their processes in the organization. They're thinking of what the eventual process in the organization will be like and then building out the tooling for that process. “Instead, in cybersecurity, people start thinking about whether or not they have an endpoint security solution. A firewall? A cloud security solution? And there is just an explosion of tools,” he says.
The result is a hodgepodge of tools.
More tools don’t mean more security
More tools don’t always mean more security. As Ektare explains, Bringa is often helping customers in larger organizations who have deployed more than 50 discrete security toolsets. “Having tooling at that scale isn’t unheard of,” he says.
As Ektare explains, Bringa helps enterprises to centralize data from their various security tools to provide a unified view of their cybersecurity risk. “We essentially help security teams understand, contextualize, and prioritize cyber risk so that they can effectively communicate inside the organization and remediate with precision,” says Ektare.
Getting there can be a challenge. As Ektare explains, it's only after there is a sprawling set of tools that enterprises start thinking about how they can put the right cybersecurity plan together. According to Ektare, if organizations instead began thinking strategically and focused on how they would orchestrate their entire cybersecurity program, they would be in a much better position today.
The challenge is exacerbated when enterprises have varying types of assets and classes of assets spread throughout their environment. And let’s face it: what sizeable enterprise doesn’t have various types and styles of assets today? There are traditional endpoints, applications, cloud infrastructure, cloud applications, IoT devices, and operational technologies. And each one of these specialized asset classes has a specialized scanning tool dedicated to them, Ektare details.
The assessment tools aren’t just dedicated to each asset class because the technologies are different. The security assessment tools dedicated to each asset class aren’t just necessary because each asset class is its own type of technology; the organizational ownership structure of the varying asset classes also matters. “There isn't a single owner who has the responsibility across all these asset types. We imagine customers using a solution to aggregate the risks they see across all of their attack surface, regardless of what asset type they’re looking at from a business perspective,” he says.
It comes down to understanding one’s entire attack surface across asset types, identifying vulnerabilities, prioritizing them based on what’s most critical for the business, and closing those flaws. “That’s the Holy Grail of understanding what is important for your business,” he says.
George V. Hulme