Cybersecurity products: When is it time to change them?
Enterprises should assess their cybersecurity products to make sure they're as effective as possible. Expert Mike O. Villegas discusses how to evaluate cybersecurity tools.
There are three reasons to end a vendor relationship or change a product or service: limitations, quality of service and cost structure. But sometimes enterprises need to end vendor relationships even when the product does what it's supposed to. There are three reasons for this as well, which are often out of the control of the CISO: downsizing because of cost reductions; a merger that brings in overlapping, competing products; and security metrics and incident experience. In these types of situations, another less expensive or less robust product would be better for monitoring particular channels. Let's take a closer look at these cases and how enterprises can assess the worth of their cybersecurity products.
Dealing with downsizing
Not all enterprises are profitable or grow at the rate they would like. This could be due to the economy, product obsolescence or rising operating costs. In order to deal with this unfortunate challenge, an organization might have all departments reduce budgets and operating costs. The CISO will then decide which cybersecurity products can be eliminated, renegotiated with the vendor, or replaced with a less-expensive technology -- all while maintaining the same level of protection.
One way to do this is by trimming the security portfolio. For example, reduce shelfware by eliminating products that were never used, reduce vendor management by outsourcing, eliminate cybersecurity tools that have redundant features, and customize single multifunction tools rather than multiple tools with single functions. In such cases, the CISO would not renew the maintenance contract, or would terminate the contract with the vendor altogether.
Overlapping products after a merger
Mergers and acquisitions happen, it's just part of doing business. But when they happen, there are tough decisions to be made. Two merging enterprises will usually have different inventories of protection and monitoring technologies. Depending on the merger approach, an organization may not have a choice if it is the one being acquired. The decision will be made to keep the best cybersecurity product that satisfies both enterprises, but one of the products will have to be terminated.
Security metrics and incident experience
Enterprises may also use security metrics to assess whether a cybersecurity product is worth keeping. These metrics will include calculating the total cost of ownership of a product, which includes a combination of the total cost of technology (TCT), the total cost of risk (TCR) and the total cost of maintenance (TCM).
TCT is what the product or service costs to acquire, and garners most of the focus during the purchasing-decision process. Enterprises should compare their current cybersecurity products with other products or services that have undergone a proof of concept to figure out which has the lower TCT.
TCR considers the risks the cybersecurity product may not address, but which are required by regulations or laws, such as PCI DSS, HIPAA, the Gramm-Leach-Bliley Act, the HITECH Act or SOX.
TCM is the cost to maintain a tool accounting based on the skill levels of the staff and the complexity of the tool or its management.
Over time, cybersecurity products will prove the type of attack vectors they are adept at protecting and monitoring, but they need to experience these attacks for this to happen. For example, if an organization experiences few Web attacks, a NGFW UTM feature might be sufficient security. This would render a Web application firewall unnecessary, and thus it could easily be eliminated without degrading protection or monitoring. The same could be true for DLP, MFA or wireless management systems.
The CISO's responsibility is to ensure the right level of protection and monitoring is in place to satisfy the organization's security goals and needs. While downsizing, mergers, and security metrics and incident experience are all important factors in making product and vendor relationship decisions, also consider these:
- The complexity of the product management and whether the product in question requires a significant amount of time for staff to use.
- The number of false positives. If the volume of false positives delays turning a product into a hard fail mode, the product then loses its effectiveness. Also, the amount of time to eliminate false positives could be too great.
- Managing the tool should be comprehensive, flexible and easy. If it's not, this can make the tool less useful and more time-constraining, not to mention frustrating.
- The skill levels of the staff handling the product. If someone only knows how to use a hammer, everything will look like a nail. Most people can obviously be trained, but if they also lack the aptitude, no matter how robust the tool, it will not be used to its full potential and benefit.
Finally, don't forget to consider the vendor relationship. CISOs may sometimes feel compelled to keep a tool because the vendor or sales person is extremely responsive and they develop an amicable relationship. But, if at the end of the day the product doesn't provide the level of protection or monitoring needed, the CISO needs to make the right decision and look elsewhere for cybersecurity products that are a better fit. The primary concern should always be what is right for the enterprise.
Learn how to find the best security tools for your enterprise
Check out how to avoid security tool overlap
Compare the top vulnerability management tools for enterprises