We’ve reached peak cyber-tooling. It’s time to consolidate. 

Written By Dylan Winn-Brown

A very dear client of mine recently took a new CIO role at a global business. I asked him about the current state of the company’s Cyber Security protection. He said:  

“It's remarkable. Not a penny has been spared. They have every single security monitoring tool they could ever need -  but it's like wearing seven watches, and not knowing which one is telling the right time.  

I don't think he's alone in this. We've been through an extraordinary 10 years of cyber security tooling and product adoption. The market has been flooded with technology and software for every control and every regime and every possible and potential vector of breach.  

VC, PE and Institutional money has poured into the industry. They’re all looking for the silver bullet of exponential growth and client adoption with subscription based models. It’s been driven by a heady mix of mandatory compliance pressure and fear of being hacked. The market has gobbled them up with Cyber Security budgets growing at 12.4% per an annum and the number of vendors reaching dizzying heights.  

Have we reached peak tooling?  

I was recently shown the 23% renewal rates for one of the more successful Cybersecurity tools on the marketplace.  So, clients have evidently become fed up with spending huge amounts of money for tools that ultimately end up either reporting too many false positives and being very noisy or sitting on the shelf collecting dust. Worse than that ,tools are often very difficult to implement and become ineffective very quickly. Or don't actually do what they were said to do in the first place: vapourware.  

How can you consolidate?  

Most businesses at the moment are trying to save money. The consolidation of tooling has to be an area where businesses can now tighten the belt. Some technologies are indeed consolidating themselves. Is it really necessary to have a net flow analyser now? Surely your line networking technology will be able to do this equally well? Do you need to have network access control  and privileged identity management, and identity and access management, and zero trust architecture?  

We've been working closely with Microsoft recently, along with other technology providers. Their return on investment model can be very compelling. With an E5 license it’s now  possible to do many of the functions and controls required to achieve your ISO 27001 (or other) compliance regimes. 

Equally, it doesn't take a great deal of effort to map your controls against your other compliance regimes (ISO, NIST, CE+, CAF etc) and see where you have overlap.  

What’s involved in consolidating? 

I've seen a recent client been able to shave over £450,000.00 per year of their opex budget on tooling alone. Let alone the cost saved by not having to maintain, manage and monitor said tooling.  A comprehensive cyber security strategy would include the obsolescence of certain technologies and replacement with more consolidated and cost-effective solutions. This could be in the cloud or on premise.    

It is equally possible to save the equivalent of a full-time head in time. You can do this by consolidating the compliance regimes into a single process and combining information security management systems across multiple regimes with the quality management system for a consolidated information management system.  

Yet there is a nervousness about removing old controls that may or may not be doing a good job or even a blindness to moving away from one’s trusted vendors. Then of course there’s the ’can’t pull all of your eggs in one basket‘ argument. 

The starting point is a control mapping against a consolidated compliance plan.  

  • Area for exploitation - Wherever you have an overlap; more than one control achieving an element of your compliance mandate, 

  • Area for exploration - Wherever you have more than one element of your compliance map being served by two or more. 

And of course this can be modelled: a future control set servicing a future compliance mandate.   

By reducing complexity you will improve security, because fewer tools equals fewer threat vectors. Especially if they have been neglected. 

It’s time to be bold. It’s time to be preceptive and plan a more secure, more complaint and more cost effective future. 

Author: Shannon Simpson, CEO 

Have you reached peak tooling? If you would like to explore this subject further please do contact Cyro; hello@cyro.uk or 020 3398 0973 

 . 

Dylan Winn-Brown

Dylan Winn-Brown is a freelance web developer & Squarespace Expert based in the City of London. 

https://winn-brown.co.uk
Previous

Nearly 2/3rd of Businesses are Without a Crisis Agnostic Continuity Plan. Are You One?
Next

What do the recent front page news worthy Cyber Security attacks at the Royal Mail and Guardian say about the state of the UK’s Critical National Infrastructure