Is the tech worth the risk? CISOs struggle to navigate complex, overloaded security landscape

Go to any expo floor, and there will be a bevy of solutions to choose from. Particularly in security, vendors brand new to the market promise to solve any underlying problem, if given the chance.

This has contributed to the complex nature of IT decision making and vendor assessment. With thousands of products to choose from, and little guidance from business stakeholders, security leaders are left to navigate an unwieldy industry.

Compounding the issue, many organizations have a naive approach to security, with little buy in from the board and other business stakeholders. Attitudes like those lead to poor cybersecurity preparation; 44% of executives say their organization does not have an overall information security strategy, according to a PwC global information security survey of 9,500 executives.

Establishing a top down approach to security is encouraged, but that does little to remedy the product overload that can come as a result of a poorly outlined security strategy. And increased security spending is often reactionary.

The cybersecurity industry is "getting so big and there's so much stuff," said Onapsis CTO Juan Pablo Perez-Etchegoyen, in an interview with CIO Dive. "Putting myself in the shoes of a CISO, it's probably nearly impossible to really decide what's critical and what's not."

Purchasing habits from security decision makers don't always come from a strategic place. Fear of a security breach is a leading motivator for an increase in overall security spending, according to Gartner. This year, worldwide spending on security is expected to reach $96.3 billion, up 8% year-over-year.

"Putting myself in the shoes of a CISO, it's probably nearly impossible to really decide what's critical and what's not."

Juan Pablo Perez-Etchegoyen

Onapsis CTO

Larger security budgets lead to the acquisition of more products, making it a daunting task to manage portfolios and accurately assess risk.

Speaking with customers about pain points, "most of the conversations are centered around things like, 'I have 50 products. There is nowhere in IT where I own and manage 50 products. I own three to five. In security, I have 50,' " said Tom Corn, SVP of security products at VMware, in an interview with CIO Dive. When looking to change their security approach, customers are asking, "what three things am I taking out to put the one new thing in?"

Where the CISO comes in

Cybersecurity is not rooted in simplicity, but with the introduction of new technologies complexity was introduced, which brought more risk. Creating a net of disparate systems, which often do not communicate with one another, does not help secure organizations.

"When you're looking at a cybersecurity organization as a whole, they're trying to secure and protect everything," said Tammy Moskites, managing director at Accenture Security, in an interview with CIO Dive. A security portfolio, however, is better protected when an organization understands what its "crown jewels" are.

Reassessing key assets comes with the changing nature of the CISO role. Enterprise security leaders are realizing the importance of understanding the business impact, and tying that to risk tolerance.

As the cyberthreat landscape has evolved, third-party risk assessment has been highlighted. A malware attack last fall against a vendor led to data breaches for Delta and Sears, for example.

Vendor risk is dependent on vendor capabilities, according to John Elliott, data protection officer at EasyJet, speaking at RSA Conference 2018 in San Francisco. But by assessing capabilities and operations and qualifying accepted risk, buyers can have a better understanding of the potential impacts to their organization.

When making a product decision, "the CISO as a collaborative or a peer of the CIO, actually [assesses the] technology they're bringing in and [asks], 'what are the risks?' "

Tammy Moskites

Managing director at Accenture Security

Vendor risk assessment is technology agnostic, and can relate to everything from credit card processing systems to ERP solutions.

In a type of "personality profiling tool" for suppliers, based on in-depth questions, security buyers can understand whether a vendor knows what it's doing, can execute and has the intent to execute, according to Elliott.

Elliott's method serves as a model for assessing risk value, akin to a Myers-Briggs personality type indicator. While it can slow down the acquisitions process, it "tends to be better than risk," Elliott said.

No matter the method, security portfolio decision making, key to making the technology tools landscape easier to navigate is to place security assessment in the hands of the CISO or other security business decision makers.

CISOs can work with vendors to assess controls, working with the CIO to show gaps in products, according to Moskites. It's up to the CIO to assess whether or not to accept those risks.

"The CIO can still make product decisions," Moskites said. "But what the CISO is making decisions on is when they go to make a product decision or technology decision, the CISO as a collaborative or a peer of the CIO, actually [assesses the] technology they're bringing in and [asks], 'what are the risks?'"