The Cybersecurity Tower of Babel Requires Focus on Business Fundamentals: Part 1
Published 07/11/2024
Written by Elad Yoran & Patricia Schouker.
The adage "the only constant is change" was relevant at this year’s RSA Conference when it comes to enterprise cybersecurity. While much attention was appropriately focused on the possible implications of AI on security, conversations with CISOs indicate that much of the change enterprises face is driven by the proliferation of security tools in recent years. With so many solutions needed to cover different portions of the environment, the result has been the fragmentation of enterprise security into a cacophony of disjointed reports and findings, making remediation even more challenging.
Security Solution Proliferation and the Law of Unintended Consequences
As businesses evolve, their attack surfaces expand and the number of potential risks to their systems, networks, applications, and data increases, whether on premise, in the cloud, or in a hybrid environment. In recent years, this dynamic has led to a rapid proliferation of security solutions specialized in identifying and managing risks in a specific area. Often, these solutions recommend a specific action to remediate the risks, such as applying a patch, reconfiguring a device, rewriting vulnerable code, or removing stale permissions.
The result is a well-lit “segment level” view of security risks and needed actions. However, the segments are effectively siloed and therefore complicate the understanding of higher-level enterprise-wide security and the management of the company-wide security strategy.
Complex company-wide environments with numerous security solutions pose considerable management challenges, both technical (such as aggregating, normalizing, and prioritizing diverse issues that lack standardization) and communicative (such as communicating with remediation teams that operate elsewhere in the company and do not report to the CISO).
"As security professionals we make changes to our stacks, adding resources to cover parts of our environment that we believe are not adequately monitored for security risks. While this may be necessary, I feel we are in a loop of adding more pieces to an ever-expanding Lego. We have tools to monitor even more tools and processes but lack contextual awareness. Why are we using these tools, how do we know they are effective, do they provide value to the company? These questions, to me, demonstrate that we operate without a full understanding of our company’s risk," remarked Gary Hayslip, CISO for SoftBank Investment Advisers.
Getting Back to Basics
How do enterprise CISOs address this challenging situation? While specifics varied, CISOs shared a common philosophy: the need to regain an enterprise-level perspective of security and accelerate remediation across IT, DevOps, Engineering, and other functional areas. Developing and implementing new cybersecurity workflows solutions is necessary, including consolidating and streamlining information, leveraging data science and context for prioritization, automating manual processes, and fostering collaboration across stakeholders. Stay tuned for Part 2 of this blog, where we’ll go further in-depth into these recommendations.
About the Authors
Elad Yoran brings over 25 years of cybersecurity expertise, having founded, led and successfully exited several pioneering cyber companies. Elad serves as a Strategic Advisor to the Cloud Security Alliance and Seemplicity, and on various company and government and industry boards such as the Army Cyber Institute and formerly the FBI’s Information Technology Advisory Council. His companies have been acquired by industry giants like Tenable, Cisco, CyberArk, Forcepoint, McAfee, RSA, SafeNet, and Symantec. He is a former U.S. Army officer, a veteran of Operation Restore Hope in Mogadishu, Somalia, and holds an MBA from the Wharton School of the University of Pennsylvania, as well as a B.S. degree from the United States Military Academy at West Point.
Patricia Schouker is the founder of Energy Bridge Global and a subject matter expert in energy and security based in Washington D.C. She leads business and strategy at PolySwarm and previously served as a Policy Officer at the European Commission, focusing on US-EU energy relations and cybersecurity. Patricia is an active member of Future Congress, advocating for integrating scientific and technological knowledge into the U.S. legislative process. She is a fellow at Oxford University and The Payne Institute at Colorado School of Mines. Patricia earned her degrees in Political Science and Economics in London and a Master’s in Strategic Intelligence Studies in Washington D.C. Connect with her on X: @Patricia_Energy.
Related Articles:
Reflections on NIST Symposium in September 2024, Part 1
Published: 10/04/2024
How to Maximize Alignment Between Security and Compliance Teams
Published: 10/04/2024