Good Enough Isn’t Good Enough Anymore
The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability. In light of these increasing challenges, our cyber defenses have morphed over time.
This is not to say that our arsenal today includes better defenses. Our defenses have morphed because we have seen the headlines, possibly experienced organizational pain ourselves, and we as CISOs have searched out new cyber solutions to address new cyber threats.
In earlier times, we agreed “it’s all about the network.” Cloud migrations and virtual connectivity, however, have modified that mantra. Now, we agree “it’s all about the data.” As our cyber defense focus has shifted, so has the array of potential solutions.
Best of Breed vs. Bundle
Cyber solutions are promoted in two primary categories, and the choices CISOs make about these categories matter. On the one hand, some solutions offer—or at least presume to offer—best of breed capabilities. They propose to satisfy a CISO’s particular concern directly and completely, whether that concern is about endpoint, detection and response, network, data protection, or any other discrete layer of the cybersecurity stack.
These solutions often operate in silos, are difficult to connect to other parts of an organization’s defense stack, and intentionally establish themselves as true one-offs within the cyber arsenal. They are superb at the mission they are intended to serve but, like the proverbial cheese, stand alone.
On the other hand, some potential offerings are bundled solutions, addressing defense for endpoint and detection and response, or network and data protection (think DLP here). Some bundled solutions go further, offering suites of combined offerings that address a wide variety, if not the full gamut, of cybersecurity worries. Some focus on service solutions as opposed to product solutions, but even in these cases the service provider likely offers or prefers specific products.
“It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket.”
What bundled solutions typically lack is any particular component that is, indeed, best of breed. This may be an unfair blanket statement, because certainly many bundled offerings include very good solutions.
Nevertheless, the components of these bundled solutions are neither discrete in nature nor completely focused. More likely, bundled solutions are solution sets built to inter-operate, to play nicely with each component part, because a bundled solution is probably doomed to fail unless every part works in harmony with every other part of the bundle.
A Place for SOAR
While best of breed solutions are wonderfully capable, they can be onerous to manage. Keeping these solutions current can also be challenging. Additionally, getting these solutions to inter-operate with other parts of the stack may be difficult.
A best of breed solution for example may be strong at DLP, but security teams may struggle to integrate its logs into the organization’s SIEM solution. Configuring a best of breed solution can also prove challenging, because the inherent capability of the solution is complicated. A best of breed solution may be difficult even to deploy, given that it stands by itself.
“If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far.”
Security orchestration, automation, and response (SOAR) solutions can therefore serve a valuable purpose. They provide value by organizing disparate components of the stack into a comprehensible and manageable whole. SOAR assumes that unmanageable, disparate elements exist in the stack but they can be integrated (to some extent) under an umbrella technology that manages them as a single-threaded solution set.
If best of breed solutions operate in silos (they tend to, it’s their nature), then getting each of them into a common management regime via SOAR may be a bridge too far. Technology that is meant to be independent tends to resist cooperation and integration. This is not to diminish the value of SOAR solutions but simply to say that best of breed solutions are a breed of their own.
Cost, too, is always a consideration. Although some organizations have big cybersecurity budgets, most organizations (especially SMBs) aren’t so fortunate and must manage costs carefully. A bundle of cybersecurity solutions often can be cost effective because there’s leverage in combining purchases from a single vendor.
There is, however, also risk. The consequences could be catastrophic should a bundled solution have a security flaw or other significant operational issue. What if every part of a solution set failed at once? Therein lies the madness for CISOs. A best of breed solution may be vital, but its failure shouldn’t engender failures across the stack.
Some of these solutions nevertheless aspire to uber-security. Best of breed—as in dog shows—is special, and that specialty needs to be protected. Their providers pay “special” attention to things that increase customer risk and work to refine and improve the secure state of their offerings. This suggests best of breed solutions may be less likely to fail.
Capability Today vs. Strategic Roadmap
It’s hard most days for CISOs to see the forest for the trees. Bundles thankfully offer a way to navigate the thicket. Bundle providers understand their (foundational) role in customer organizations. Their comprehensive solution sets let CISOs solve multiple issues with a single procurement arrangement.
Managing supplier relationships takes time, and every cybersecurity leader needs more time, not less. Fewer critical suppliers in the stack is therefore advantageous for most cybersecurity organizations. After all, CISOs require instant capability in the solutions they deploy. A security gap needs to be closed now, and a purchase will hopefully close it. A fulsome relationship with a bundle provider may achieve early delivery and support for addressing emergent issues.
“Managing supplier relationships takes time, and every cybersecurity leader needs more time, not less.”
A CISO also needs to understand the long view of their suppliers, not just what their solutions do now, but what they will do going forward. Where will a product or service be in two or three years? How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator. A bundled solution may bring the CISO’s organization closer to the supplier, and this may facilitate cross-strategic planning at a deep level.
Best of breed suppliers, by contrast, can be more difficult to get to know. These providers are sometimes smaller with niche offerings. How many employees do they have? Who will answer the phone when a CISO makes a critical call?
Alternatively, it’s possible that smaller providers are more intimate and engaging about the specific solutions they provide. A CISO can build a relationship with a supplier’s senior leadership, which can prove very valuable, in terms of immediate needs and long-term planning.
The Inevitable Doesn’t Have to Be
If CISOs believed all suppliers will be successfully targeted and victimized, they’d quit and drive trucks for a living; it’s an honest job that depends only on the certainty of sources and destinations. Cybersecurity depends on much more: the intricacies and inter-relationships of networks, hardware, software, user behavior, the cooperation of cloud providers, the partnership of suppliers and customers, and the complicated demands and expectations of stakeholders. A CISO’s job is undeniably hard, and it’s only getting harder.
“How does the CISO and the organization fit inside a supplier’s strategic plan? Knowing where a supplier is heading is a leading indicator.”
And that’s just the business side. Cybercriminals of every variant have figured out that there’s money to be made, heartache to be transferred, and chaos to be raged whenever they identify a vulnerability.
Every decision a CISO makes therefore matters. Every increment of cyber strategy should be based on thoughtful examination of facts from internal and external intelligence, providing the CISO with purpose and reasoned choices. Risk can’t in most cases be eliminated, but it can be mitigated and managed. CISOs don’t wait for the bad thing to happen. They work every day to delay the inevitable and to diminish its consequences.
The choices we CISOs make in what we buy, and how, also matter. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore. Regardless, every CISO knows that what matters most is the good we do. That is not a choice. It is our nature.