What CISOs Are Saying: Reducing Complexity

What CISOs Are Saying: Reducing Complexity

reducing complexity security trend

Through our extensive research via our Feats of Strength publication and our Internal Research Department, K logix has successfully collected trends from over 150 distinguished security leaders in a variety of verticals in the security space. When it comes to the issue of reducing complexity, here's what CISOs have to say:

According to the research we've compiled from our Feats of Strength interviews, 68% of CISOs believe it is essential to reduce complexity within their security architecture. 

One of the top challenges CISOs face is clearing the security product clutter within their programs and simplifying their processes so they can focus on business alignment and strategic advancements while continuing to mature and reduce risk.

Most often, reducing complexity means the combination of too many security products and an under-resourced team. Today, CISOs believe over 80% of their security investments are underutilized. They also believe many investments they have purchased do not correlate to specific security control areas and in some cases, they may be overspending.

An abundance of underutilized security products hinders productivity and may inhibit strategic focus, but investing in solutions based on program gaps helps make sense of the cluttered security product market. 

Managing too many underutilized products is a drag on resources, from both a budgetary and time aspect. With consolidation as one of CISOs top priorities, they must focus on reducing the number of products in their environment to free up budget to spend on other important areas, as well as give time back to their team.

Additionally, the complexity will continue to increase as businesses transform, and security will be repeatedly tasked with keeping pace with changes within their organizations. When confronting the cluttered security product market, John Heasman, CISO at Chegg, focuses on understanding exactly how the solution will fit into the overall program and specifically what gap that solution addresses.

On page 21 of the September 2019 issue of Feats of Strength, Heasman states, “There are a few key things I always look for in technologies. A few years ago, having products with API was a 'nice to have' but nowadays I feel API support is an absolute necessity. An organization like ourselves, we’re often not running these tools in isolation. They’re often not run by humans, they’re orchestrated by other processes and we want to pull the results down, manipulate them, store them elsewhere, and aggregate them with other tools. That’s something I will always ask a vendor. I like to see vendors that have really considered their API and really understand how customers like us are going to use their product.”

Heasman also speaks with Venture Capital companies and always asks for references from any security product he is interested in purchasing. He seeks references from companies of similar size and scale to understand how the product will address his specific challenges. Actions like these from CISOs and security leaders work to reduce complexity and clear the security product clutter.

Making smart, purposeful investments in technologies are key for a number of CISOs' security programs in order to reduce complexity.

In the September 2019 issue of Feats of Strength, Drexel University CISO Pablo Molina states that in order to reduce complexity and ensure the technology investments continually meet needs from a security perspective, he has instituted a vendor assessment program. This program ensures they select vendors that are secure, have both security and privacy by design, and follow responsible computing principles. He states, “Everything becomes much simpler because it is not that you bought a product or a service and now you have to figure out how to make it secure; it is by definition that the company was thinking of making the product or service secure. Sometimes it requires making what may initially look like more expensive purchasing decisions, but in the end you realize that the total cost of ownership and the total risk profile are much more beneficial to your organizations.”

Molina also believes many CISOs have invested in security products and services but are not taking advantage of the full business value they offer. He says you must maximize their use and master your own knowledge in order to get the most out of those products for your organization. Molina comments on page 17, “You have to be strategic about it. In my case, I have limited resources, and because they’re limited, I may pay attention to new and interesting technologies, but in the end, I concentrate my efforts into doing business with a handful of vendors. And for those, I know the executives, I know their roadmaps, I know the application cases, I know the adoption patterns within the organization. That’s the way I do it.”


K logix offers strategic consulting services to help security leaders overcome the challenge of complex and cluttered security programs. K logix’s Project Advisory service identifies your core business and technical requirements for purchasing a new security product to address a key risk, then leverages our business analysis and security expertise to find a justified, impactful investment decision. We agnostically evaluate products in an identified marketspace segment – including Endpoint, Cloud Access Security Broker, Insider Threat and many more, in order to provide our customers with justified results.

Drop us a line for more information on how we can work together to strengthen your program. 


Want more? Listen to our Webinar on Reducing Complexity with Dmitriy Sokolovskiy, CISO at Avid, who addresses the current work from home situation in addition to explaining how he clears the security product clutter and chooses the best solutions for his organization. 

Written By:

Marcela Lima Jun 15, 2020