It’s no secret we’re going through a period of economic challenges. This uncertainty is forcing organizations, big and small, to carefully reexamine their investments, including technology expenditures like cybersecurity. And so, I want to propose an idea that borders on heresy: sometimes we don’t need the best-in-class or best-of-breed controls when good enough will work. If you have a best-in-class security program, you can afford the underlying technology to be just good enough.
Sure, if you have the latest and the greatest technology stack, you theoretically can withstand the latest and most advanced attacks. Why do I say theoretically? In my experience, most companies struggle to fully use the basic features of their security controls, let alone take full advantage of the advanced capabilities these controls purport to have.
Companies invest thousands and hundreds of thousands in technology they only use at a basic level. Does that mean they’re not secure? Not really. Their policies and programs provide them with all the coverage they need. I would love to have a Lamborghini, but considering where I live, I’ll never be able to go over 70 miles per hour legally anyway—and with the current gas prices, I wouldn’t want to take out a second mortgage to be able to maintain it. I certainly don’t need it when my hybrid vehicle takes me anywhere I need to go and does 95% of what I would use the super-car to do.
Now, before I alienate all the next-gen vendors, I don’t mean to say your technology is not good or wasteful. It’s awesome! If I had all the money in the world, and the talent to use every feature your product offers, I would do it in a heartbeat. I just can’t necessarily afford all the shiny toys in the store. Not when I need to balance my budget across my entire security portfolio. When I was a kid, my game console was an Atari, and I spent many hours fully entertained. I now have a couple of the new game consoles just gathering dust.
So, before I invest in new technology, I have to ask myself: am I using my current controls to their full potential? Is there something that is a real gap it can’t address? Also, will there be an operational cost to switch to new technology? Can I prove I really have that gap?
Best-in-Class vs. Best-in-Suite
We’ve all seen how the industry consolidates technology capabilities. Microsoft, Broadcom, McAfee, Palo Alto Networks, Check Point Software Technologies, and many more vendors offer suites of products that address multiple security needs.
Perhaps you are familiar with the American TV host Alton Brown of the Food Network. What does he have to do with cybersecurity? Probably not much. But Alton has a very good philosophy about “unitasker” gadgets vs. “multitasker” gadgets which does apply to cybersecurity technology. Basically, a unitasker is a gadget built for one specific use case. A multitasker is a gadget with multiple use cases.
A simple example is a $300 Benchmade-brand hunting knife unitasker versus a $20 Swiss Army knife multitasker. If I go hunting—for the record, I don’t—I would much rather have the best hunting knife, but if I’m slicing an apple—and for the record, I do—the multitasker Swiss Army knife would work just fine, and I can also open a wine bottle at the same time.
So how does this apply? At a recent security conference, I heard multiple people dismiss one technology vendor’s multitasker offering over another unitasker best-in-class product. The common example I keep seeing on the Twitterverse and hearing in conferences is how Microsoft Defender is no match for the EDR/XDR product du jour. And maybe it’s not.
The difference is if I already have an Office365 license, it’ll cost me much less (if anything) to add on Defender. And it will be super easy for me to deploy. At the end of the day, will I get any real added coverage? Also, this is not meant as a disparagement of Microsoft Defender. I have not had any negative experiences with the product. Nor should it be an endorsement of it. It is a very good and accessible technology I can leverage immediately. I have seen too many peers hold off on deploying a good-enough technology while waiting for the budget for the shiny toy.
As a pragmatic CISO, when I look to address a gap in my cybersecurity mesh, I first check if any of my existing security controls are part of a suite that can be extended to cover that gap. Especially if this extension means it’ll integrate well with the rest of my cybersecurity mesh. I also look to validate whether I have a gap by testing and validating my current controls with technology like breach and attack simulation—perhaps what I have is good enough. With the data from that validation, I can decide whether my investment in a new unitasker best-in-class security control is justified or if my best-in-suite multitasker is good enough.
When we are all being asked to tighten our belts and be prudent with our budget, the pragmatic approach is to validate that my good enough cybersecurity mesh can take me where I need to go.