YOUR PROBLEM IS OUR PROBLEM
Daily, I hear differing answers about the number of security products in the marketspace. They vary from 1,000 up to 2,500, depending on who I speak with.
The barrage of security vendor calls CISOs receive is almost unfathomable. On a regular basis, they receive calls from companies boasting the next greatest product that will make their lives easier.
The uptick in security companies stems from 2017 marking the largest amount of VCs funding cyber security in history. With cyber incidents making headlines such as Equifax and Uber, the world has taken notice and smart entrepreneurs continue to capitalize on this profound awakening into the value of protecting organizations.
The interviews we conduct with CISOs to feature them in our magazine includes many discussions around this topic and we hear the same thing. They are often confused on how to differentiate between vendor messaging and they refuse to rely on industry publications as a source for unbiased information about products.
My message to CISOs is: your problem is our problem. I too receive countless calls and messages from security vendors wanting to partner with K logix. And I too see a lack of accountable, agnostic and extensive research to differentiate between the cluttered marketspaces.
This challenge raises two questions - with all the clutter, how do you separate the signal from the noise to make solid decisions? How do you know when you need to invest in a new solution versus operationalizing what you already have? We set out to answer these questions.
SEPARATING SIGNAL FROM NOISE IN A CLUTTERED MARKETSPACE
Sometimes relying on the opinion of your peers for making technology investments is not enough. And while we know this is the approach most CISOs take, we sought out to find a solution to sort the signal from the noise in cluttered marketspaces.
We created a charter to agnostically evaluate, analyze and test security products in different marketspaces in order to provide the security community with our results. Many teams lack the time to painstakingly understand the business and technical requirements for a new product while being able to pair that with a sound evaluation process.
We started with endpoint security, and to-date have evaluated seventeen endpoint security products over a two year period. Our second testing area was the Cloud Access Security Broker marketspace and we spent six months testing eight products. Our testing is weighted and scored dynamically based on specific use case requirements.
OUR GOALS ARE SIMPLE
My advice to CISOs is to save themselves time, money and team effort by leveraging agnostic third party research. Here’s the benefits of doing so:
Eliminate the noise: Save time and money evaluating products that don’t meet your business and technical requirements.
End user impact: Understand the impact various products might have on worker productivity and performance.
Efficacy: Understand efficacy performance levels for the different solutions, and what dependencies those rates are based on.
Time to value: Spend weeks completing an evaluation that could take your organization many months to complete.
Board-level preparation: Ensure you have evidence-based documentation to support the findings, enabling security leaders to confidently present to the Board for justification and approval.
BEFORE INVESTING, EVALUATE
If we take a step back, CISOs must keep in mind that before addressing the cluttered marketspace and investing in new technology, they need to understand the importance of evaluating all products already in their security programs. Many solutions are purchased to solve a point problem, without considering the impact to operations, overall risk landscape and total financial allocation.
Recently, a K logix customer with eighteen security technologies wanted to gain a holistic picture into their investments from an operational, financial and risk perspective. After speaking with them, they realized they significantly lacked the time, people or process to evaluate their investments, yet they required justification for new technology product purchases.
K logix interviewed security leadership and technology caretakers and implemented our strategic investment evaluation process. Then, operational maturity scores for each product were determined, technologies were mapped to alignment with SANS CIS and the financial allocation for each SANS CIS were reviewed. This presented the customer with a picture into what areas of their investments they needed to consolidate, where divesting in investments was key to saving budget and areas that required investing in new technologies to meet alignment with control areas.
In research done at K logix, only 24% of organizations who conducted an assessment of their security investments were fully aligned with the most critical SANS CIS areas one through five. Furthermore, on average, organizations saved 20% of their budget by divesting in products. This enabled them to save money and time, and make justified budget decisions in any new investments.
WHAT WE’VE LEARNED
There’s a chance the cyber security startup bubble may burst or lessen in the next few years, yet the trail of clutter will remain a challenge for many security leaders. The confusion in the market came through loud and clear from our CISO community, and we established agnostic research and testing processes to address this. Our Internal Research Department has tested the Endpoint and Cloud Access Security Broker marketspaces and is currently undergoing testing of the privileged access management space.
We also heard from CISOs about how they needed to operationalize and concisely understand their current investments before investing in any new products. Born from these challenges came our Security Investment Assessment.
Ultimately, we understand security programs may be overworked and tight on budget. We aim to collectively collaborate with them to understand their business and technical needs, then help them achieve their goals for budget justification, executive alignment and limited impact on their teams’ time. The CISOs we featured in this issue discuss many of these challenges. I hope you enjoy reading this issue of Feats of Strength and if you face any of these challenges, reach out to let us help you strengthen the business of information security in your program.