The Biggest Mistake Security Teams Make When Buying Tools
Security teams often confuse tool purchasing with program management. They should focus on what a security program means to them, and what they are trying to accomplish.
COMMENTARY
I've had the pleasure of speaking to hundreds of security teams, and the biggest mistake I've seen is that they often mistake tool purchasing with program management, meaning they often think of the tool driving the program, rather the tool being a part of the program. Instead of focusing on the tool, security teams should focus on what a security program means to them, and what they are trying to accomplish. Below, I share insights that can improve your cybersecurity strategy.
The Misconceptions and Limitations of Cybersecurity Tools
Not planning a program end to end can lead to failure. Being able to detect something, but doing nothing about it, isn't useful. Too often, security teams fall for the misconception that a security tool is a comprehensive security program. But can we fault them?
Cybersecurity tools are packaged to be appealing: sleek dashboards, integrations, APIs, multiple language support, the promise to find everything. These features give the illusion of a sure bet for security. Security teams buy these tools expecting, then hoping, finally pleading, that their bet will pay off.
The Known-Bug Breach
Organizations routinely need weeks to months to fix a software vulnerability. Even more startling, in a third of security breaches, the pending security fix was known before it was exploited. Why? This often stems from security tickets falling in priority because of the inability to drive a meaningful vulnerability management program and getting stakeholder buy-in.
Best Practices for Building Effective Cybersecurity Programs
The National Institute of Standards and Technology (NIST) defines a security program "as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." A security program answers: why this, what to do about it, when, how, and who. It simplifies those answers by forming them into policies and instructions for everyone to follow.
"In my org," a former chief information security officer (CISO) told me, "we didn't greenlight any tool purchasing until a remediation plan was established for the tool." This ex-CISO understands that managing security well is managing the security program, which, in turn, is managing, maintaining, and building a security culture. To be effective, you have to embed the security program in every layer of the business.
My advice: Before you buy a tool like SAST, lay the groundwork for a security program.
There are so many threat models and definitions out there that it can be overwhelming. Instead, keep it simple to start. Use this tried-and-true formula:
program = tool + people + processes + goals
If you do this, you will avoid the misconception that a tool is a program. These best practices bolster more effective cybersecurity programs that are resilient, adaptable, and capable of remediating bugs.
In the following two sections, I want to call out two important and often overlooked pieces of this equation that might be misunderstood.
Stakeholder Engagement in Security Programs
Stakeholder engagement is crucial to a security program. The vast majority of a security team's success is based on the relationships and buy-in they achieve with key stakeholders, like engineering teams. Forgetting stakeholder buy-in and commitment will fail the vast majority of purchases.
Stakeholder engagement ensures that everyone understands the importance of cybersecurity and eliminates ambiguity. The security program helps every individual understand their role in security and importance in fulfilling that role. In the case of implementing a SAST tool, not having buy-in from your engineering team means you're going to rack up a vulnerability count because you can't act on it.
Vulnerability Management
Vulnerability management is a core component of a strong security program, and generally applicable to most security tools. We've found only the largest of enterprises will hire a dedicated vulnerability manager, and often most organizations don't have someone owning and driving those vulnerabilities.
Vulnerability management involves identifying, assessing, prioritizing, and then addressing vulnerabilities in the system. This is a continuous process that requires regular monitoring and updating.
For example, in fixing code vulnerabilities from a SAST tool, essential to vulnerability management is remediation and, later, prevention. There is plenty of information about proactive efforts. The big addition I can add here is using cutting-edge tools to achieve rapid maturation for your vulnerability management program — namely, auto-remediation. The recent developments in AI have enabled teams to behave like their counterparts. For example, product managers can now do data science tasks. Additionally, AI is enabling teams to automatically fix vulnerable source code. Security teams can't scale their efforts alone. They need to invest in actions and systems that help them drive programs.
Conclusion
Cybersecurity tools are no replacement for a robust security program. No one buys construction tools and starts building willy-nilly. Without a plan, they'd end up with a chaotic assembly of screwed-in screws, hammered nails, and sawed boards. That isn't productivity. It's busywork. Sadly, a tool without a robust plan behind it can go the same way. A security program assures that security tools are effective and deliver value for your organization — and, ultimately, increase the security of your organization.
About the Author
You May Also Like