It’s becoming evident that the ballooning array of security technologies—‘technology sprawl’—is compromising organisations’ ability to protect themselves from security threats.
In our most recent bi-annual , 74 percent of information security professionals expressed grave concern over the sprawl, warning that it is becoming increasingly difficult to manage the proliferation of security products, some of which go out of date faster than supermarket fruit. Many also reported that the ensuing chaos is reducing security effectiveness and employee productivity. Organisations are now coping with many different security products from too many different vendors.
The root causes are varied. Professionals blame the sprawl on mergers and acquisitions, with organisations having to absorb a vast array of disparate security technologies and procedures. Others blame the point solutions offered by vendors, while others argue that the problem stems from a fragmented, decentralised purchasing process.
Some respondents also report that the sprawl is being exacerbated by a lack of compatibility across vendors and the desire for many organisations to buy the ‘best of breed’ for any given requirement. And we can’t deny the impulse to go after the latest and greatest technologies – something I like to refer to as ‘shiny toy syndrome’.
Whatever the reason, the impact is adding to the stresses of an already stretched information security function, given a well-reported skills gap in the sector.
Our survey reveals that the biggest impact of the proliferation of ever-changing security products, is the spiralling cost and time involved in training, operations and maintenance.
Many report having to make significant investment in the development needed to retrofit and customise procedures to ensure some level of coherence across the plethora of tools and dashboards that they now have at their disposal.
Against this background, it is interesting to note that the most common threat technique being reported this year, within our own workforce study and many others, is actually the phishing attack. The greatest need here is to invest in training staff not to fall for hoax emails. Yet, worryingly, our study suggests a declining focus on training in end-user awareness, suggesting a level of complacency, while investments in technology continue to rise.
We need to remember that information security is a function that requires management and skills, as well as the ability to analyse and communicate. We must give the right priority to ‘people’, ‘processes’ and ‘technology’. We can’t deny the need for technology, but I question whether when it comes to its procurement, we are truly guided by what will allow the execution of intelligent policies.
Best of breed must be defined by the combination of the right people using the technologies that best support the right policies, not the technology itself.
Dr Adrian Davis, CISSP, Managing Director for EMEA at (ISC)2