Research shows many companies now own and operate more than 60 disparate security tools, yet breaches continue to make headlines. Throwing more tools at the problem is a tactic that simply doesn’t work and— with trends pointing toward tighter security budgets—may not even be possible anymore.
Security leaders are now in a position that requires them to ask tough questions and carefully scrutinize new security tools before pulling the trigger on purchases. With risk outpacing budget growth, stakeholders need to make investments that provide clear, real-world evidence of gaps, priorities, and results.
“Swivel chair management,” also known as tool overload, is prevalent. Security analysts are overwhelmed by the quantity of security tooling available to them, making it difficult to perform their jobs effectively.S&P Global Market Intelligence Discovery Report: The Impact of Continuous Security Validation
In this new blog series—based on our recent white paper The Skeptic’s Guide to Buying Security Tools—we’ll outline an evidence-based approach to justifying investment decisions. The process starts with asking why. In our first post below, we’ll discuss how to identify where gaps exist, determine if those gaps can be filled by existing tools, and evaluate new tools if they truly are needed.
Where do we still have gaps?
The skeptical buyer verifies the need for an additional purchase scientifically by putting existing defenses to the test. If testing confirms that dangerous gaps exist—and that tweaking existing controls won’t appreciably improve detection and response—a new tool likely warrants investment.
Assessments can be done quickly and repeatedly using BAS to launch real-world attacks against your environment to see how–and how quickly–existing tools and teams detect and respond to threats. BAS can provide insight about where attackers can find a way in and what actions they can take while remaining undetected. For example, can they drop command and control (C2) tools or escalate their privileges?
Then, assuming you have multiple gaps—as most organizations do—it falls to those responsible for the budget to rank and prioritize the need to close those gaps based on available cycles and goals for the business.
How do we balance business objectives and cyber threats?
When considering new tool purchases, organizations must carefully consider immediate needs and long-term goals for maturing their security practice. Long-term priorities might include things like:
- Securing remote access and digitalization
- Stopping ransomware attacks
- Protecting against the most common or likely TTPs
- Meeting deadlines for new regulations or improving the ability to demonstrate compliance
- Adopting a proactive, Zero Trust security posture
But, if your company or an ecosystem partner recently suffered a ransomware attack, stopping phishing might become a CISO or board-level priority. Security leaders must then decide on the best course of action. For example, should they invest in better endpoint detection and response (EDR), add biometrics into multi-factor authentication (MFA), offer more user education, or some combination of all of the above?
The Skeptical Buyer’s Checklist
• Which challenges pose the greatest risk?
• Which issues are board-level priorities?
• Do we have the right approach?
• How will we demonstrate that we’ve solved the problem?
• Do we already own something that has this capability?
• Will adding this tool improve detection and response?
Which gaps can we cover with existing security controls?
Once you decide to amplify or acquire certain capabilities, take a stroll through your security operations center (SOC) to see whether existing platforms and providers can meet your current challenge. This may include looking at features and capabilities of tools you already have that you aren’t utilizing fully or at all.
Then, use BAS to recreate specific threats that you’re hoping to prevent. By defining and running attacks in the lab, you’ll be able to see how well new configurations of existing solutions improve detection and response. For example, if ransomware looms largest, simulate the progression of phishing and related tactics and techniques like account takeover (ATO) and business email compromise (BEC) that may involve or target identity. Follow conventional wisdom by “assuming the breach” and model lateral movement through your network toward your organization’s crown-jewel assets.
This type of assessment will help you pinpoint and quantify gaps in monitoring and detection coverage at each stage of the attack killchain, identify the best way to improve response or prevention, and define a clear set of verifiable success criteria. Now the team can move on to evaluate competing solutions.
How can we anticipate pushback on cybersecurity spending?
Even though cybersecurity budgets maintain steady growth year over year, asking – and not asking – for funding feels like a no-win situation. Assume that whoever you need to convince will question both the need for another security tool and that your proposed addition should take the highest priority. “Out skeptic” them by justifying expenditures from a big-picture or bottom-line perspective.
This involves weighing the risk of not addressing known coverage gaps—and possible damage control following incidents—against the cost of changing vendors or adding new tools. With so many pressing issues in flux, you may not be able to address every gap right away, but you don’t want to remain overly vulnerable just to cut corners either.
Does the prospective new tool move the company closer to long-term objectives for compliance or achieving 100% visibility of your security posture? Can it significantly decrease the likelihood of ransomware or cloud-based attacks succeeding?
If you find multiple gaps that might benefit from new investment, the next step is to validate clear priorities.
When evaluating cybersecurity controls, how can we determine which solution excels in our unique environment?
Even enterprises with very deep pockets cannot afford to burn budget or cycles on technologies that may not be the right fit for the organization. In some cases, introducing the wrong tools may create bigger problems than they solve.
Don’t rely on vendor data sheets that list bold claims and “stretch goals” achievable only in ideal use cases where individual products shine. Test against realistic attack scenarios to verify and uncover each solution’s unique set of strengths and weaknesses in your real or proposed environment.
First, evaluate each prospective solution on its own merits to validate vendor specifications. Subject solutions to foreseeable threats to make vendors prove their products live up to the hype.
Measure the impact of each point solution or platform on your high-priority coverage gaps and their ability to integrate within your environment. Is the solution difficult to configure? Does it significantly add to or alleviate the burden on your IT team or SOC?
Use a vendor-agnostic validation platform to see how well each product integrates within your environment. (HINT: the validation platform itself must integrate easily with multiple solutions to ensure fair comparisons.)
The Skeptical Buyer’s Checklist
• Is this the best use of budget?
• Will you need o add skills to manage this tool?
• Will introducing this solution upset downstream operations?
• Do we have the expertise to configure and manage this tool?
• Is the product our ideal solution?
• Do we need best-of-breed?
Employ BAS to model and apply a wide range of scenarios and configurations to gauge how adding controls, turning on new features, or consolidating vendors impacts your current workflows. Identify solutions that introduce the least risk and complexity downstream.
Once you narrow the search, conduct head-to-head bakeoffs to compare and rank the overall value and operational overhead each solution brings. BAS delivers empirical data to support your business case for a specific tool or platform but you may wish to consider other factors along with performance.
Which provider makes the best partner?
Too many disparate solutions leads to undo complexity and unwanted tool sprawl, but overreliance on one partner or platform—even those deemed “best in class”—creates vendor lock-in that brings its own risk. While the first impulse may be to go with established vendors, or to consolidate functionalities with a few security suites that you already own, sometimes innovative technology from well-funded startups produces better results.
Is best-of-breed best for our need?
Clearly, you’ll want to ask potential suppliers for references, preferably from companies in situations similar to your own. Leaders might also ask their team if they have prior experiences with prospective new partners.
Beyond the vendor’s reputation, base your final purchase decision on hard data. Conduct your own testing to decide whether the lesser-known point products or a best-in-suite solution integrates more smoothly with your stack—and works as advertised [read the related blog].
How can we validate success with BAS?
When cybersecurity works, nothing happens, which can make the value of new investments hard to quantify. Yet every CISO must demonstrate value from security investments to stakeholders.
When possible, choose solutions that fill multiple gaps to achieve compound returns on investment (ROI). And, at this last and perhaps most critical junction, provide empirical evidence of your improved security posture to justify sound decisions.
- Use BAS and other validation techniques along with analytics from security and ticketing tools and SaaS providers to remove doubt that your investments have:
- Solved the problem you were looking to solve (and maybe others as well)
- Reduced incidents, streamlined workflows, and improved reporting
- Measurably improved your security posture
- Made your team more efficient and collaborative
5 Tips for a Successful PoC
When considering a new tool, the PoC stage can be crucial to understanding its usefulness and ability to work within your existing suite of controls.
Keep it simple. It’s easy to get distracted with all the bells and whistles that a new tool can offer. The key here is to focus; if you try to do too much at once, you may risk overextending your team, or you may not be able to fully test the capabilities that are most critical.
Define clear success metrics. What are you trying to determine during this process? Defining metrics from the very beginning will help the vendor understand what matters most to your organization and will give your team an idea of what to look for when testing the new tool.
Define clear parameters for testing. Don’t end up with a long, drawn out PoC that siphons available bandwidth from your team. Ensure that all parties understand and agree on a definitive set of parameters, such as scope, time frame, and resources. Which leads to our next tip:
Understand what resources your organization needs to commit to the PoC and for how long. The PoC process typically requires time and resources from both the organization and the vendor in order to be successful. Make sure you have a clear understanding of the resources needed, and communicate this with your team to ensure that they are not blind sided or overwhelmed with additional tasks.
Ask vendors for examples of similar exercises conducted in similar situations. There’s no need to reinvent the wheel; being able to see similar instances of the tool in action can clarify questions you may have, give you insight into ways others have leveraged the tool, and provide additional assurance of its efficacy.
What happens next?
For additional factors to consider before buying more security tools, download the complete Skeptic’s Guide to Buying Security Tools white paper now. Or stay tuned for the next installment in this three-part blog series to see how skeptical buyers can future-proof their investments.