It's time to go back to basics to improve IT security

Tool bloat is exposing organizations to significant cyber and financial risk – which is especially problematic in the wake of GDPR.


This is a contributed article by David Ellis, Vice President, Security and Mobility Solutions - Europe, Tech Data


When it comes to cybersecurity, the only thing that remains the same is change. Advances in IT infrastructure technology, user behaviour and the threat landscape have transformed the industry in a short space of time. Unfortunately for IT buyers, that means investments from even a few years ago might now be out-of-date.

In this highly fragmented marketplace, finding the right tools to do the job has never been more important. But the stakes for failure are high, and too many organizations are saddled with ineffective, bloated cybersecurity products accrued over the years.

With two major new European regulations landed in May, now more than ever it’s time to go back to basics to get IT security right.


From then to now

It was all very different 20 years ago. In many ways, IT security managers had an easier time of it.  IT infrastructure was centralized, with data stored on single file servers: none of the complexity of virtualisation or hybrid cloud computing. Limited numbers of internet-connected mobile devices and few remote workers meant the network perimeter was easy to define and secure. The cybercrime industry was still in its infancy, while the absence of social media and web-based services further reduced the corporate attack surface.

How times have changed. Today’s digital and cloud-first organizations are more exposed than they’ve ever been. The perimeter as we know it is gone, and mobile devices, virtual endpoints and IoT devices have expanded the attack surface so wide it’s almost out of sight. Data is the new fuel of the digital economy but user demands for always-on access create dangerous security gaps. Sophisticated attack tools and techniques have been democratized “as-a-service” on a highly evolved cybercrime underground. From info-stealing trojans to ransomware, crypto-jacking, BEC, DDoS, IoT exploits, phishing and even file-less attacks, the sheer variety of threats facing organizations today is staggering.

One vendor blocked over 66.4 billion threats in 2017 alone, including over 631 million ransomware attacks.


The problem of tool bloat

In the past, IT buyers bought point products to deal with each new threat. The problem is, as the threat landscape evolves, organizations have found themselves with scores of security tools and systems which don’t talk to each other. Companies today run up to 50 different security vendors, according to Cisco. That represents complexity at a time when stretched IT teams need the opposite. 

This kind of “tool bloat” is actively exposing organizations to cyber- and financial risk. There are several key challenges:

  • It’s extremely expensive to maintain all of these products, each with licenses and support contracts to renew, as well as the sheer administrative and operational overheads of managing a bloated security stack
  • It’s a highly ineffective way to run cybersecurity. You’re typically not using most of the features in these tools, and they don’t interoperate, creating potential gaps in coverage which hackers are adept at exploiting. It’s no coincidence that the “mean time to identify” (MTTI) a threat inside the network was 191 days last year, according to IBM
  • It’s getting increasingly difficult and expensive to maintain the required in-house skills to manage these tools. The global cybersecurity skills shortfall is estimated to reach 1.8m professionals by 2022 and talent is not cheap


Back to basics

Both the EU General Data Protection Regulation (GDPR) and NIS Directive mandate strict new rules around IT security. Penalties for non-compliance are up to €20m or 4% of global annual turnover, whichever is higher. They approach the challenge from different angles — the NIS Directive is only relevant to operators of “essential services” and has more prescriptive requirements, for example. However, it’s clear that Europe’s regulators will no longer stand for sub-par security.

What does this mean in practice? It’s time to go back to basics and rationalize your tools. Conduct a thorough audit and then work towards a pre-defined goal. Understand where you can consolidate onto platforms from fewer vendors, ideally ones which interoperate and share threat intelligence. That will help lower TCO and improve ROI.

Also consider how newer innovations like AI and machine learning could help. AI is a rapidly emerging technology in the cybersecurity space which is already having a significant impact. Radware revealed that 81% of executives it spoke to said they’ve already or recently implemented more reliance on automated solutions, while 38% claimed that in two years it will be their primary way to manage cybersecurity. These technologies can help teams find the needle in the haystack — patterns hard to spot with the human eye which are indicative of covert threats. They could even help organizations mitigate the challenges of current skills shortages, although you still need AI experts to train and manage such systems.

The bottom line is that by rationalizing your infrastructure now, you stand a great chance of staying on the right side of regulators and delivering maximum protection while minimizing costs and overheads. Change might be inevitable in IT security, but it must be managed properly.