Cloud Security Perspectives and Insights

  • News
    October 13, 2020

Shiny Object Syndrome: Insuring Your Security Puzzle is Complete

Kurt Hagerman
Principal Cloud Security Advisor

I bet you never thought that assembling all those puzzles you did when you were a kid would have real world application!  As a senior security executive, building your security program within your budget while doing your best to mitigate the risks your organization faces is very much like assembling a very difficult puzzle.

The nearly 5,000 security vendors offering more than 10,000 security products, along with the major cloud providers releasing more and more security services to strengthen the security of their solutions, makes assembling your own security puzzle a daunting task.  It reminds me of putting the Red Riding Hood’s Hood puzzle together.  It was over 500 pieces all the same color in a round puzzle – probably the most challenging puzzle I ever assembled.  These vendors all claim to solve the latest security problems and to do it easily and seamlessly.  The trouble is there is no easy button for security and every organization has its own unique security challenges; making it difficult to select the right mix of tools to secure your organization and mitigate risk to an acceptable level for your board and executive team within your given budget.  Compounding this is the fact that none of the tools talk to each other effectively; many offer overlapping feature sets and all claim to do way more than they can deliver.  This often results in too many tools than can be used and managed effectively along with unsustainable costs.

So, what is Shiny Object Syndrome (SOS)? It is a condition characterized by the rapid, unchecked growth of disparate security tools that clutter security programs and limit their effectiveness. There are two main drivers for this:

  • Decision makers (often well above the CISO’s level) become enamored with the latest and greatest security “must-have” solutions and push the organization to buy them without considering their value to and impact on the organization; and,
  • CISO’s often purchase tools with little evaluation of how they will integrate into their existing program to add value because getting budget for these shiny new tools is often much easier to get than for the projects that will actually close risk gaps and improve their programs.

Over time, these tools add up. Either poorly leveraged or completely abandoned, they can limit the effectiveness of a security program while putting a strain on in-house resources to implement and manage them.  These many tools create multiple pillars of data that is challenging to parse, correlate and turn into actionable information that can be used to protect the organization.

The result is often a security program that looks good from the outside but suffers from internal rot leading to increased risk of compromise.

How can you combat SOS?

  • Start by developing a holistic security vision and communicate it to the entire organization from the top down - starting with the board and C-Suite.  Ensure they understand that you have a vision and an approach to realize it and get their buy-in early.  If they understand your vision and approach, they will be far less likely to recommend tools that don’t fit.
  • Evaluate your exiting program based on the risks your organization faces in the ways it handles its sensitive data. It’s important to use real world risks that your organization has documented and not all the theoretical risks and latest hacks you read about if they aren’t relevant to your business. Identify the current overlaps and gaps in your security tooling and then build a plan to eliminate them. You can often find funding sources through a careful analysis by identifying tools that can be eliminated as their function is duplicated by another tool you’re not using to its fullest potential.
  • Communicate your plan in language your Board and C-Suite understands.  If you think about it, they are paying for your silence, as they consider it to be a sign of no problems.  If you don’t report any significant issues one year and go the them with a request for additional budget solely based on “we need it to protect the business”, you’ll likely be met with silence and told no.  If, however, you can create a narrative, with hard numbers, around how the additional budget will result in increased revenue, increased market opportunities and risk reduction in real dollar terms, you’ll have a much better chance of getting your budget approved.
  • In the end you won’t likely get everything you want, so make sure to prioritize your asks by what is valued most by the organization (revenue, increased business, reduced risk) balanced by what will provide the greatest risk reduction (in dollars) for the lowest cost.

In summary, by approaching your security puzzle with thoughtful planning and effective communications to your executive team you can avoid the many negative consequences of chasing the latest security tools and protect yourself against SOS. I am excited to speak about SOS in greater detail at the Paubox SECURE event on Wednesday, October 21st. Oracle also recently announced new cloud security services that can reduce security complexity and strengthen cloud security posture.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.