How to Rationalize Cybersecurity Tools in Turbulent Times
Author: James Turgal, Vice President of Cyber Risk, Strategy and Board Relations, Optiv
Re-published from the Optiv Blog
Amid a strained economy, businesses everywhere are tightening their belts and working to ensure that priority programs and critical infrastructure are earning their keep. But despite the current economic state, now’s the time to be introspective with your ecosystem and lean into your technology investments—not pull back. Here’s why.
First, this isn’t the recession of 2008–2009 and it is certainly not the threat environment we faced 15 years ago. We live in a completely different reality complete with more complex technology ecosystems and more aggressive cyber threat actors. With digital transformation now at full throttle, the world is more interconnected than ever before. The days of the single legacy system are long gone, having been ousted by an overlapping mesh of cloud-first technologies. Exploiting this expansive attack surface, cybercrime is booming.
As we now brace for a possible recession, it’s often our first instinct to pull back on spending. However, when investments begin to slow around enterprise technology, it’s often the attackers who reap the benefits. Instead, consider this an opportunity to talk to your chief information security officer (CISO) about rationalizing the tools currently in your organization’s stack to buy down systemic risk and build resilience.
A Closer Look at Technology Consolidation and Rationalization
Compounding technical debt is a common problem. Working with clients, I find that the average mid-enterprise organization has anywhere from 70 to 90 technologies in their environment. Instead of looking at net new tools, now’s the time to look inside the ecosystem and make current technology investments show their worth.
A good place to start is a technology consolidation and rationalization analysis. Whether your security team conducts the analysis or you hire an outside firm, it’s important to determine what tools you have, whether they’re deployed (or deployed correctly), which are critical to business operations, and whether they’re integrated or not. This is also a great opportunity to identify redundancies in your environment, including shadow tools that you can sunset to raise security hygiene and lower costs.
Going beyond a maturity assessment, a tech rationalization analysis evaluates technology as a whole on your ecosystem, then justifies down to the tools essential to running it. A true, holistic evaluation will show your tools’ objective value to the business while ensuring the data generated from these tools remain actionable, and importantly, integrating them to deliver capabilities that drive specific outcomes. Along with improving your security posture, you may also find opportunities to whittle down your total tool count and enjoy savings in the process.
Prepare for Resilience
Addressing the ongoing risks inherent to your organization is an expense, yes. However, not doing so can be significantly more expensive down the road (i.e., secure today or repair tomorrow). Today’s cyber landscape affects our current economic climate in different ways as compared to past recessions. You simply can’t afford to slow down when it comes to shoring up your cyber defenses.
Geopolitical tensions are also giving rise to new suites of threats and plenty of economic gray area. That’s why it’s also a good idea to identify, map, and protect business-critical assets as part of the technology consolidation and rationalization analysis. What data are they producing and where is the data going? How are they secured? Your CISO should understand what the normal data flow looks like in your enterprise, so that they’re prepared to pivot and recover should crucial operations be interrupted.
Investments in this area should focus on the resilience piece of security because it forges the ability to look ahead and anticipate where the threats are coming from. And with your technology now realigned with critical business processes, data, and infrastructure, you can deploy the right tools, the right way, to help you drive resilience throughout your environment.
You don’t have to sacrifice resilience initiatives for the sake of saving money. By first rationalizing your technology already in place, you can drive resilience and be better equipped to handle economic turbulence and unpredictable threats.
This article originally appeared on the NACD BoardTalk blog and later on the Optiv blog. Reprinted with permission.
https://blog.nacdonline.org/posts/rationalize-cybersecurity-turbulent-times