Defense in Depth
The Lurking Dangers of Neglected Security Tools

Should we consider money lost from deteriorating security products the same way we consider money lost to threat actors? If so, we need to systematically examine how we weed out dead weight from our security portfolios.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Shawn Bowen, vp, deputy CISO - gaming, Microsoft. Joining us is Adam Fletcher, CSO, Blackstone.

Neglected tools drain resources

The cost of neglected security tools goes beyond the cost of the product itself. An ineffective tool often leads to organizational drain that significantly impacts your resources. "Usually, this security-product generates alerts and open tickets at a rate that doesn't help anybody at all, and now you have to pay people to close out alerts that don't impact risk at all. $4M turns into $10M down the drain pretty fast, and weakens security," said  Shawn Nunley of Wiz. Being “software absent” when planning a controlled environment can help avoid this issue, suggested Todd Hammond of State Street, “Break down the threat management ideas into use cases and workflows. Evaluate where technology fits in the workflows for the use cases. This informs tech requirements. Evaluate your current tech stack to determine if existing tech fits any of those use cases or requirements. Then look at new tech solutions."

Who’s to blame?

One question that comes up with neglected tools is blame. Do we put this on vendors pushing products we don’t need or organizations that don’t realize what they are buying? "I have seen both sides & blame falls on both parties. Organizations who do not understand cybersecurity or their maturity posture seem to buy every security tool/hardware imaginable, believing it will somehow ‘fix’ the fact they don't understand their security program and weaknesses. Security has to be sold to an entire organization and to ‘allow’ hired security professionals to have input on what ‘tools’ or even hardware an organization feels they need to purchase," said Brandi Wolfe of Resultant. However, for Greg Thompson, the blame ultimately comes to the organization, saying, "That sounds like an execution failure to me. It's easy to blame the vendor, but that's on me if I buy a product and fail to put it to work. And if a vendor outwits me by convincing me to buy something that adds little value, it is also on me. Some customers buy that health club membership and never use it."

Technology is the last step

Tools become neglected because organizations don’t establish the structure to make them useful. As Igor Barshteyn of Pens.com points out, a technology purchase should be the end of your decision-making, not the beginning, saying, "You need to remediate people and process issues first and foremost, and only once those are in decent shape, should you be adding technology on top to automate the correct process you developed to make people's lives easier. Just buying something and having it sit there, especially before you know exactly where your process gaps are, is entirely useless."

Buying tools to solve business problems

Organizations need to operate out of a place of confidence to make good purchasing decisions. Being reactive to perceived threats and fear means you didn’t do the legwork to set up new tools for success.  Brian Moeller of Walmart Global Tech made the case for avoiding FUD, saying, "Fear, uncertainty, and doubt have historically been the way to encourage executive support - and that sometimes leads towards wasting resources. But there’s no need to play the panic card. I think our industry is finally beginning to realize the business approach to solving these problems and that fear, uncertainty, and doubt - and maybe panic - aren’t the best way to manage a business problem."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us, Friday [10-18-24], for "Hacking the Hype of Zero Trust"

Join us Friday, October 18, 2024, for “Hacking the Hype of Zero Trust: An hour of critical thinking about what are the identity and access functions that are helping us achieve this security nirvana.”

It all begins at 1 PM ET/10 AM PT on Friday, October 18th, 2024 with guests Rob Allen, chief product officer, ThreatLocker and Antony Symonds, Head of Group IT Operations, Westland Horticulture Ltd. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, ThreatLocker

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jason Shockey, CISO, Cenlar FSB.

Thanks to our Cyber Security Headlines sponsor, Vanta

When Can You Blame The User?

David Spark hit the show floor at Black Hat 2024 to ask security professionals when it's okay to blame the people they are trying to protect. Ultimately, blame is less important than identifying systemic issues within your organization that are causing security failures to happen. Your goal should be to change behavior; blame isn't the best motivator.

Huge thanks to our sponsor, Dropzone AI

Cyber chatter from around the web...
Jump in on these conversations

"Do you restrict USB use by default?" (More here)

"Why does no one outside the government use email digital signatures." (More here)

"Does your organization enforce which browser to use?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [10-18-24] Hacking the Hype of Zero Trust

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.