CISOs need tools. But people definitely budget for too many.
You need to focus on tools that provide you with four or five really key elements. No. 1 is visibility. The important piece of being able to have visibility is the data. You need telemetry and data that make it possible for you to know everything. Security departments have to have an almost omniscient view of the infrastructure, of applications, or every facet of the business so they can protect everything. You can’t protect everything unless you have a total view of the business.
The second most important tool is the tool that provides you with analysis. We use people to analyze, but there are different levels of analysis. You can analyze the things in front of you based on what you know. That’s what people do. But technology can analyze what people might not pay attention to, and can give visibility to anomalies and outliers. And that’s where the risks exist, in the anomalies and outliers. So a tool that gives you the ability to analyze data that might otherwise feel amorphous, or massive amounts of data, is a very important tool.
The third tool is something that allows you to organize your department. I’m the CISO at Customers Bank, and in the finance sector we have FFIEC – the Federal Financial Institution’s Examination Council — as a standard, which provides baseline activities that a bank or financial institution is expected to do to improve its security. You need software that enables you to leverage those types of standards, to help you organize and manage your organization’s maturity.
You also need a tool that enables you to assess and review controls, the most important one being asset control. Who has access to what and how do you manage that process? People today do it on spreadsheets, but while Excel can be that tool, it’s not the best one.
The fifth thing that’s really important is to have a structure that enables intelligence. Not all departments need intelligence-gathering tools. Some can just leverage a third party, like a managed service provider. But if you do things internally, you need threat and intelligence tools to help you coalesce events and things that happen outside the organization but can impact it.
But as I said, CISOs budget for too many tools. Tools are something you should evaluate annually. I’m a firm believer that the worst thing you can do is sign a multiyear contract for a tool. Sometimes you don’t realize how operational or non-operation a tool is, and you don’t want to be stuck for years with a tool that doesn’t provide you with the insights you need.
CISOs should be evaluating the tools used across the enterprise on an annual basis to understand their effectiveness. Measuring their effectiveness is a big part of the job.
If you have ineffective tools, not only are you wasting money, but you are presenting yourself with an uphill battle on being able to manage technology and manage security.