Security teams in the Middle East and around the world often struggle with complexity, and for many this feels like the norm and an everyday challenge. However, this makes it difficult to know when complexity has gone too far. With numerous, overlapping cybersecurity tools extra layers are often added to the stack, making it difficult to manage and monitor. Most security organizations are aware that this complexity may be causing problems, but struggle to assess how and where. The challenge is that there is no objective measure of complexity, but there are several warning signs that will indicate the cybersecurity stack is becoming too complex.
1. You’re Reactive, Not Proactive
Complexity leads to reactivity. If you are constantly wrong-footed by events and
incidents, it’s a significant sign you should look to simplify your stack. A key indicator of
this is the volume of alerts that your team struggles to process. In this situation, analysts
often can’t identify real threats until long after they happen. Things are frequently made
worse for analysts by an overabundance of platform management and administration
tasks, as well as the need to learn an often-dizzying array of tools.
2. You Can’t Identify Where All the Budget is Going
If you’re struggling to track where all your budget is spent, that can be a bad sign. In
this circumstance, CISOs need to find where the extra budget is assigned. If a CISO
is struggling to identify the spend, and the organization is spending much more than
previous companies the CISO has worked for, it’s likely there is a complexity issue.
As the industry has released new tools to tackle new threats, older tools are forgotten
or ignored. It pays to take regular inventory of your environment. Remember that you
should be able to justify return on investment (ROI) for every tool in your stack.
3. Multiple Tools are Doing the Same Thing
Running multiple tools in parallel that do the same thing is another common sign of
complexity. Some security teams have four or five programs running vulnerability scans
at the same time, for no good reason. One should be enough. In these situations, the
programs can generate a lot of noise that negatively impact KPIs for the security team
and leave the CISO thinking they are receiving bad information from the team.
4. Staff Struggles to Master the Tools
Every CISO should have confidence in their analysts, and the tools available to them
should enable – not hinder – their success. If your security staff is struggling to master
the tools in your stack, this is a strong signal that there may be too many. The team’s
time is divided between learning five tools that do similar things, rather than mastering
one or two. The goal should be to arm your analysts with a couple of tools they can
5. You’re Protecting Things That are Already Protected
People worry about the implications of moving to the cloud for security. Is it wise to
hand over sensitive data to a third party? The answer is often ‘yes.’ A good indication
of this is that cloud providers have been largely unaffected by the major ransomware
attacks of the last five years. While no solution is immune from attack, it’s wise to think
about your environment and identify areas where you might be duplicating security controls.
6. You’re Spending a Lot of Time Documenting Tools
It’s good practice to document tools so that common operations are repeatable and the
security team can learn from their experiences. But there are warning signs to look out for during the documentation process. For example, if the team feels like they are documenting every operation for a tool, that’s a sign something is wrong. It could be that the tool itself is not the right one for you. Or, it could mean something is wrong with the tool configuration. If the team spends a lot of time documenting across all the tools in your stack, it’s probably too complex and the tools may not be user-friendly enough.
7. You’ve Forgotten About Some Legacy Tools
It pays to guard against overlooking legacy systems that are still switched on. If a legacy system is still creating alerts, these can be missed. Worse, if a legacy tool catches an incident, but nobody is reporting on the tool, that incident could go unnoticed.