Originally published in Security Magazine
A long-held belief among enterprise organizations is the more you spend on IT and security technology, the stronger your security posture will be. The tendency has been to address each new challenge or threat that emerges with the purchase of one more solution, or another shiny new tool. This approach of spending your way to security is not just costly; it also breeds a false sense of security.
As economic uncertainty continues alongside the ongoing pandemic, IT and Security budgets are likely to see modest - if any – growth this year. Therefore, it will fall to CIOs to focus on maximizing existing investments, getting back to the basics, and doing more with the same (or less).
There are some core principles I believe are important to keep top of mind when it comes to minimizing risk and maximizing budgets.
In the case of security tools, our tendency is not to trust them independently – so we layer them. If some is good, then more must be better. Our data shows that the average endpoint device has over 96 unique applications running, at least 10 of which are endpoint security controls. But, the number of controls and applications we are piling on the endpoint are actually creating more problems than they solve.
Every security agent added to an endpoint device has the potential to accelerate complexity and risk exposure, contribute to application decay, and affect overall device health and security. The simple truth is that you do not actually need both belts and suspenders… one will do the job without the other.
When everyone went home to work remotely, there was a general acceptance of necessary increased risk. Companies needed to do what they could to remain operational and productive, so most CIOs held their breath and hoped for the best as employees accessed company data from devices off the corporate network. In addition to a higher tolerance for risk, many organizations displayed a low willingness to add more tools as the pandemic took hold.
Now, more than one year into the global health crisis, we understand the criticality of finding a safe intersection of these two positions. As we look for ways to reduce the risk introduced by the rush to remote work, CIOs need to come up with effective communication to describe the risk in ways their organization can understand. Fear isn’t a long-term strategy. Instead, it is increasingly important to quantify the business impact any risk brings using actual data, and carefully outline the steps needed to address it moving forward.
Many organizations have found themselves with multiple versions of software that do essentially the same thing. It is a relatable problem – everyone wants the newest, greatest solution but inevitably, it takes time to phase out the old. As purse strings continue to tighten, now is the time for CIOs to take a hard look at their software estate and ask key questions. Are these tools doing their job? Are licenses in order?
Just because we have purchased and deployed a solution, however, does not automatically mean that it is installed and working seamlessly across the environment. So, it is just as important to ask, “Are my security agents installed and working as intended? Can these applications self-heal when they become corrupted?” An enterprise security approach cannot be static; it must be intelligent, adaptive and resilient.
In the absence of those things, we risk falling prey to a false sense of security… it is time to know, concretely, where gaps might exist. Taking the time to shore up loose ends, and rationalize security technologies and systems, can reap massive benefits from both a risk management and cost savings perspective.