Inside cybersecurity’s shelfware problem

Security tools can find their way into the enterprise arsenal in interesting ways: a CIO who insisted on buying a particular technology after seeing an ad, executives who buy a specific option required to meet a business partner’s prerequisite standards for doing business, teams that carry over all existing product licenses during a merger rather than purging superfluous software.

Alan Brill, who as senior managing director of cyber risk at consulting firm Kroll, has seen all such scenarios. “There are often tool sets being bought that are sometimes not being used at all or they’re used with less than the full capabilities turned on,” he says.

Research backs up Brill’s assessment.

According to CSO’s own 2020 Security Priorities study, 50% of security leaders say they don’t use all of the features included in their security technologies/services. Meanwhile, 26% report that their purchased security technologies and/or services are under-resourced in terms of people, support services, or deployment. Furthermore, respondents report that they only use 72% of the security products or services that are either purchased or contracted for use.

The security function clearly has a shelfware problem, experts say, and the situation comes with consequences. The over-purchasing and underutilization of security tools and technologies is not only expensive and wasteful, but it adds unnecessary complexity, further taxes already busy staff, and hinders more productive security operations.

“There may be different reasons for it,” Brill says, “but it comes down to lost opportunity costs: What could have been done with those funds instead to really help improve security?”

Better utilization for full value

Those figures don’t surprise Neil Daswani, a veteran cyber security leader and co-author of Big Breaches: Cybersecurity Lessons for Everyone, who says he, too, has seen security teams buy solutions and then not fully deploy them.

“I think that there are some legitimate reasons for some of the perceived underutilization, but there are also some legitimate concerns,” he says.

Indeed, security teams in some cases may thoughtfully select solutions knowing that they only plan to use some of the tools’ specific capabilities and choose to enable only those functions that mesh with their organization’s strategic needs. That’s perfectly acceptable, Daswani says. Others note that security teams may purchase redundancy by design to ensure they have needed capabilities when needed. For example, a CISO may have two or more service providers on retainer to assist if there’s a breach so they’re guaranteed to get enough help even in the event of a widescale attack affecting many companies.

However, security experts say there are many more cases when the underuse of security tools isn’t strategic but reactionary. The security team may have inherited a collection of redundant tools as a result of mergers and acquisitions. Or they might have accumulated the same capabilities from multiple solutions as staffers and executives deploy their own preferred options. Still others might have selected technologies without having the resources to train existing workers or hire new ones to understand, deploy, or correctly use the full suite of capabilities they bought.

John Kronick, regional director of risk management and governance at the security consultancy NCC Group and a former CISO, says he worked with one company with data loss prevention (DLP) software and security information and event management (SIEM) but didn’t have the resources to tune those to the organization’s unique needs, meaning neither tool was working at to its maximum value.

At the same time, CISOs have less room for any errors in both their security strategies and their team’s operations. The number and complexity of threats continues to mount, the cost of failure is climbing, and funding for programs will remain tight. As a result, there’s increasing pressure for CISOs to maximize the value of their investments.

“CISOs should make sure they’re fully utilizing their dollars before asking for more, and if they can do that, that’s the first step toward having a productive dialogue around what are the next threats to defend against and the dollars needed to do that,” Daswani says.

Audit, assess, and adjust

To do that, CISOs should start with a clear understanding of the security solutions they have so they can assess that they align with the organization’s security strategy by addressing the risks it faces, says Don Heckman, cybersecurity director at Guidehouse, an advisory, consulting and outsourcing firm.

“You should always look at your environment, and look at your cybersecurity program and technologies at least every 12 to 24 months. It starts with a robust enterprise risk managing program, laying out those risks and the right mitigations,” he says. “And take that strategic look at what you have, what you should have, and what you can get rid of. You can do a tools rationalization to really determine if you have the right tools for what you’re worried about, getting rid of redundances and complexity and addressing gaps.”

That work also allows CISOs to focus staff training programs on the remaining technologies, further improving the chances of using each one to its fullest value.

Heckman says such work pays off.

“Everyone complains that they don’t have enough money, that they need more money for their cybersecurity, but at the end of the day if they took a step back and did a full assessment of their cybersecurity tools and capabilities, they could find that if they recovered half of the money spent on capabilities they didn’t use that it could go a long way toward covering other [more strategic] resources,” he says.

More strategic selection moving forward

All purchases moving forward should have the same scrutiny to ensure the security function doesn’t lapse back to underutilization, and to do that CISOs should align each new buy to their strategic objectives, says Tom Kellermann, the head of cybersecurity strategy for VMware and the Wilson Center’s Global Fellow for Cybersecurity Policy and member of the U.S. Secret Service Cybercrime Investigations Advisory Board.

He suggests aligning capabilities to frameworks such as the MITRE ATT&CK model.

Kellermann also advises CISO not to buy any security product in a perpetual mode, opting instead for software-as-a-service to gain more flexibility as well as to better keep pace with future innovations.

CISOs should also ensure that their new purchases aren’t singular in purpose, but instead can be integrated into their environment via APIs and ultimately work cohesively with the other security technologies to deliver the insights needed to detect the threats that pose the greatest risks to the organization.

“You need to get down to five or six security controls that allow you to achieve that visibility,” Kellermann adds.

Invest in automation

The high volume of alerts the tools generate also contributes to their underutilization, experts say, noting that security teams are so overwhelmed by the number of alerts that they shut down some detection and alert capabilities just to cope.

It’s a widespread problem. Seventy percent of respondents to a recent survey conducted by Dimensional Research on behalf of Sumo Logic, say that the number of security alerts they receive on a daily basis has at least doubled over the past five years. Moreover, 93% say their security teams could not address all of their security alerts in the same day, and 83% say that their security teams experienced alert fatigue.

To counteract that fatigue, Kronick advises CISOs to automate as much of the process as possible so staff can investigate only the truly troublesome alerts.

Kronick further notes that implementing automation not only helps CISOs maximize the value of the technologies they’ve already deployed, it also has the more significant benefit of improving their overall security posture.

Build partnerships

Maarten Van Horenbeeck, the CISO of software company Zendesk, calls out two cases where underuse is indicative of a problem.

One is when the security team purchases a tool and implements it within its own realm of control when the team would be better off partnering across the business and getting other teams to adopt it. “This often affects security assessment tools,” he says. “In order to be effective, security teams need to drastically outsource security capability and foster knowledge across the business, including sharing the capabilities of many of the tools they use,” he adds.

Another is when the security team doesn’t fully understand a tool’s capabilities and thus doesn’t use it to its full effectiveness—a scenario that can be improved by partnering better with the vendor.

“This can happen when the security team doesn’t see the vendor as a way of bringing in deeper, external expertise to build out a better security posture. Any time we bring in a security vendor, we’re not just looking for a tool, but we’re looking to deepen the effectiveness of our security program in an area where the vendor is the expert, not us. That requires us to build a lot of trust with the vendor and their team,” he adds.

Put effectiveness first

Although security teams should ensure they make the most out of their existing technologies to avoid unintentional redundancies and unnecessary spending, Daswani cautions against making the maximum utilization of tools as a metric for success.

Yes, he says, CISOs should avoid “a bunch of half-baked implementations of security measures. But the primary metric should be the effectiveness of the counter you have. If you have employed countermeasures and you’re showing 99.9 percent effectiveness against the [identified threats to your organization], it may not matter if you haven’t used every single feature. I do think more features will help with countermeasures, but the real metric is still effectiveness. The secondary metric is utilization.”