How to implement security control rationalization

How control rationalization can improve security and lower budgets

Organizations historically adopted new security tools when necessary to both mitigate new threats and meet business demands. This approach, however, leads to tool sprawl -- the accumulation of multiple tools that often only fulfill a single purpose or overlap in functionality -- which creates a complex toolbox that is difficult to manage and use.

This proliferation of tools can result in the following:

• Coverage gaps. Too many tools make it more difficult to efficiently monitor attack surfaces and secure data.
• Patching issues. Updating and patching every tool can result in excessive downtime and prevent security teams from focusing on important tasks.
• Alert fatigue. An overload of alerts -- some of which might be false or redundant -- can cause security teams to miss or overlook critical issues.
• Increased costs. Tool sprawl can result in budget sprawl. Each new tool involves the cost of the tool itself, as well as time and staff investments.
• Poor performance. Using too many tools can decrease teams' productivity because environments become more complex to navigate, which can lead to confusion and fewer tasks completed.

CISOs know teams today require a combination of tools and services that operate in on-premises data centers and cloud environments, but the question is how many. While there is no magic number, CISOs and their teams should use security control rationalization -- the process of identifying, assessing and optimizing controls -- to manage the tools in use and improve their security posture.

Security control rationalization offers the following benefits:

• Improved security. By reducing the number of tools in place, security teams can more easily monitor attack surfaces, find and fix security gaps, and enhance observability.
• Efficient resource management. Tech rationalization enables security teams to keep only the tools needed to protect IT infrastructure and understand when tools aren't working as intended and need to be removed or replaced.
• Better collaboration. A manageable number of tools helps reduce the chances of siloed data, which enables security and business teams to work together more efficiently.

How to consolidate security controls and tools

The tech rationalization process involves the following general steps:

• Identify. Inventory existing tools and controls. Determine organizational security requirements and map the tools and controls to them.
• Assess. Evaluate how effectively the tools satisfy the control's needs.
• Rationalize and optimize. Use the assessment to identify and eliminate redundancies, repurpose tools, consolidate services and tools, assess control coverage and prioritize new tools and controls.
• Repeat. Security control rationalization is not a one-off task. Establish a continuous tech rationalization schedule and perform thorough analysis when evaluating new tools or platforms.

Security control rationalization examples

Consider the following areas for consolidation and tool rationalization.

AI security

Evaluate how the organization uses generative AI and machine learning models. Optimize and map security tools accordingly -- for example, for prompt inspection, model access control, API security, etc. Prioritize platforms that integrate with existing data loss prevention (DLP) tools and cloud controls, and assess whether vendor claims about AI risk detection are transparent, explainable and testable. Reassess tools as use of large language models and regulatory guidance evolve.

Cloud security

Rationalize cloud security tools by regularly mapping them to the organization's multi-cloud architecture and use cases, such as IaaS, SaaS, container security and continuous integration/continuous delivery pipelines. Prioritize consolidated platforms that reduce tool sprawl without losing depth -- for example, cloud-native application protection platforms (CNAPPs) or cloud security posture management products with integrated data security posture management (DSPM) or cloud infrastructure entitlement management. Validate whether current tools can scale with cloud-native development and shifting compliance obligations.

Data security

Perform data discovery to ensure tools align with where sensitive data actually resides and moves -- across SaaS, endpoints, cloud and shadow IT. Rationalize overlapping DLP, encryption and rights management services and tools by reviewing control coverage, policy consistency and integration with identity and threat tools. Evaluate DSPM and unified data security platforms that centralize governance across environments.

Network security

Continuously evaluate whether network security tools, such as firewalls, secure web gateways and zero-trust network architecture, align with modern architectures, such as secure access service edge and remote work. Decommission legacy hardware or VPNs that duplicate newer cloud-delivered controls. Prioritize tools that provide visibility into encrypted traffic, application-layer controls and identity-aware segmentation.

Vulnerability management

Rationalize vulnerability scanners and exposure management tools based on their coverage of modern assets such as containers, APIs and cloud workloads, and their ability to prioritize risk. Continuously review if newer platforms -- such as combined attack surface management and vulnerability management tools -- provide consolidated insight across attack surfaces or remediation workflows integrated with IT. Avoid duplication across development, operations and security teams by harmonizing findings into a unified platform or feed.

Endpoint and workload security

To eliminate overlap or blind spots, evaluate endpoint security tools -- for example, endpoint detection and response and endpoint protection platforms -- and workload security tools for cloud VMs and containers. Consider consolidating into extended detection and response (XDR) tools or cloud workload protection platforms if they offer integration with threat detection, behavioral analytics and response automation. Review licensing, agent performance and telemetry quality to decide what to retain or eliminate.

Automation and orchestration

Review security orchestration, automation and response tools and automation investments based on actual use case coverage, integration breadth and mean-time-to-response improvements. Eliminate rigid or underused playbooks and prioritize platforms that support low-code workflows and native connectors to modern APIs. Determine whether centralized orchestration still makes sense or if distributed automation -- for example, in EDR, SIEM or CNAPP tools -- is more cost-effective.

Security operations

Determine appropriate security operations center tooling by mapping current telemetry sources -- logs, alerts, events -- against detection coverage and analyst workflows. Reevaluate the roles of SIEM, XDR and network detection and response platforms based on their effectiveness, integration and cost per event ingested. Continuously optimize tooling around response velocity, signal fidelity and visibility gaps rather than feature count.

The future of security investments

There will always be unique situations where a single control or tool is needed to combat a new threat or technical risk, but CISOs should always evaluate the level of coverage the organization needs and how it can most efficiently achieve this.

With the rapid evolution of market services and expansion in leading vendor portfolios that organizations might already be invested in, there are a wide range of options to choose from.

Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.