As the number of security tools deployed continues to climb, it gets more difficult for enterprise security teams to know, with confidence, their overall state of security.
If you’re an enterprise, your network and IT spending are likely under pressure…except for security. If you’re a vendor, you face anemic revenue growth…except for security. Budget pressure? Ha! Security can almost always laugh it off. After all, every year there are new threats.
And each new threat seems to generate another layer of defense. And more complexity. Security has gotten too complicated, according to every enterprise who’s offered me an opinion. The biggest factor in complexity growth, say users, is that very multiplicity of layers and products. Vendors fear complexity might eventually stall security budget growth. To combat complexity, vendors are starting to emphasize the “security platform,” but users are divided over whether the platform concept is a benefit or simply another vendor revenue-raising ploy, a hero or a villain. Said one, “I’m not sure if [my vendor] is Gandalf or is forging the One Ring,” a reference to Tolkien’s fantasy classic.
But to continue that reference with a bit of paraphrase, enterprises aren’t necessarily against “One Platform to rule them all,” as long as it’s all their security tools that are being ruled and not their pocketbooks. Enterprises have a vision of what a security platform should be. They want a centralized framework into which network, data, application, and user/endpoint security are all integrated. It should provide a broad view of security status and issues, and it should provide a way to integrate elements not available when the platform was announced. The thing enterprises cite most often as a platform feature goal is a kind of coverage map, because they’re concerned that all these new layers are overprotecting in some areas while missing others.
According to enterprises, there are two different models for security tools: the asset-centric model and the threat-centric model. Asset-centric tools focus on what’s to be protected, including things like application access control, virus scans, and firewalls. Threat-centric tools focus on a specific threat or class of threat, like encryption to protect data from interception, or a tool to detect DDoS attacks or the kind of behavior that indicates ransomware. Because new security features tend to come along to deal with new threats, enterprise thinking has shifted to threat-centricity, though enterprises say they have both tool types in play.
In the end it’s about protecting assets from threats, but this shift to threat-centric security, say enterprises, can easily leave some assets uncovered. Threats can spread across multiple assets, and the specific implementation of a threat-centric tool might be more effective for one asset type (cloud versus data center, for example) than another. All of this makes knowing the overall state of security more and more difficult as the number of security tools grows over time.
Even knowing what your security tools are finding/preventing can be a challenge. Enterprises say it’s common for an attack to create multiple symptoms, and these may be divided across multiple tools. In some cases, a tool (like a firewall) may not generate any notification, but simply log an action it’s taken. Often, tools like firewalls and virus scanners are deployed at multiple levels, including at the end-system level, and issues detected in one place aren’t routinely available to correlate with the same issue detected in another. One common enterprise wish-list item is that a security platform recognize multiple “alert states” of increasing risk severity, and that in higher-risk states things that might be logged or not recorded at all would trigger notifications instead. Enterprises would also like a platform to tell them if multiple threats that could be aimed at a common asset or set of assets be grouped for analysis.
How well do the platforms offered meet user goals? Of 181 enterprises who offered comments, none said any offering met all their goals. Only 25 said that “most” goals were met, and 92 said none of their key wishes were fulfilled. Why?
The biggest issue enterprises cited was what they saw as an inherent contradiction between the notion of a platform, which to them had the connotation of a framework on which things were built, and the specialization of most offerings. “You can’t have five foundations for one building,” one CSO said sourly, and pointed out that there are platforms for network, cloud, data center, application, and probably even physical security. While there was an enterprise hope that platforms would somehow unify security, they actually seemed to divide it. Of our 181 enterprises, 174 said the security vendors’ own “platforms” had little claim to the term.
Even within a single security vendor’s offerings, users weren’t happy with the ability of a platform to give them a clear picture of assets, threats, and the relationship between the two. Only 43 of the 181 enterprises said the “single pane of glass” view of security was improved by the security platforms they were offered.
The AI opportunity
What could fix these problems? The number one suggestion (no surprise!) is AI, which 154 enterprises said would be able to correlate information from multiple tools/platforms. However, because these enterprises don’t believe that current security platform vendors will offer AI that spreads across the full spectrum of security needs, given their current specialization, they don’t know where the AI tool that unifies them all will come from.
Ah, but they hope someone will provide a true security platform based on AI. More enterprises think that AI would be transformational to security than think it would transform network or IT operations and infrastructure. Over two-thirds of them say that security vendors recognize this, but enterprises are equally divided on whether current security vendors would fully exploit AI, even within the specialized security platform targets they currently have. Given that incumbent vendors in nearly any technology sector tend to favor evolution over revolution, they may be right, and that would make the creation of an AI security platform a major opportunity for an outsider.
Maybe the major opportunity, in fact. Of 181 enterprises with security platform views, 134 said they believed that a third-party platform was more likely to address their issues with security tools. Only 37 thought a current provider of security tools would offer the ideal platform. The remaining 10 thought no offering would come along, and this group was the most pessimistic about the prospects for real control over security.
What impact, if any, does a formal position heading up security have? Well, 88 of the 181 companies said they had a chief security officer (CSO), a bit less than half. Of the 134 who believed third-party platforms were the answer, 80 were companies with a CSO, just under 60%, and of the 37 who thought a current security vendor would offer a solution 8 were from firms with a CSO, which is a bit over 20%. CSOs apparently believe that the current vendors aren’t stepping up.
It seems to me that divided security responsibility, arising from the lack of a single CSO in charge, is also a factor in the platform question. Vendors who sell into such an account not only have less incentive to promote a unifying security platform vision, they may have a direct motivation not to do that. Of 181 enterprises, 47 admit that their security portfolio was created, and is sustained, by two or more organizations, and every enterprise in this group is without a CSO. Who would a security platform provider call on in these situations? Would any of the organizations involved in security want to share their decision power with another group? Vendors don’t think so, so they don’t promote unity.
If enterprises want their security platforms to meet their goals, the most significant step they could take is to appoint a CSO, but even that step doesn’t guarantee success. CSOs themselves tell me that they’re struggling to find the right tool, and even looking beyond the traditional security providers hasn’t helped them find it. For as important as security is to enterprises, the absence of a complete security platform solution is, or should be, a worrying development.
Read more from Tom Nolle: