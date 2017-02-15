Which tools and solutions do you rely on? How do you know you made the right choice?

Even as security captures more attention and more budget, we have to be selective with the tools we use to advance our goals. Buying the wrong tool is not just a waste of money, but could be worse and create distractions that waste time or friction with other teams.

I talked with Mike D. Kail (LinkedIn, @mdkail), the Chief Innovation Officer of Cybric about better ways to evaluate and use tools to improve security. Mike has over 25 years of technology leadership experience, including VP of IT Operations at Netflix and CIO & SVP of Infrastructure at Yahoo!. He’s also active on twitter with innovative and disruptive approaches towards DevOps and Security.

Our conversation was energizing. Mike’s experience came through and he shared key points for security leaders looking to make a difference.

Why is it important for security leaders to have a clear strategy separate from the tactics they use?

Security vendors are guilty contributors to the extreme lack of strategic approaches to improving overall security posture and resiliency. Instead of applying core software engineering approaches to integration into the DevOps CI/CD pipeline, they instead focus on “next-gen” point solutions and tools that typically require manual operation and intervention. Unfortunately there are also a lot of vendors who are selling “Fear, Uncertainty, and Doubt” (aka: FUD), instead of taking a “Trusted Advisor” approach and partnering with clients to strategically improve security posture

Over time, this results in ``tool sprawl’’ and an ever decreasing lack of overall visibility into a company’s true risk profile because there is no unified view into the results from each disparate tool. What often happens then is outsourcing to a large MSSP, which may be fine in the short term, but if you want to control your overall destiny and improve the situation, it tends to be a very costly band-aid.

When it comes to tactics, how do you recommend people think about tools and solutions to avoid buying something they don’t need?

Too often people focus on the “How” of the proposed solution, which then typically leads into following what others have done in the past, and buying “Incumbent Vendor X”, because that is a safe choice and no one has ever been fired for choosing a known logo.

Despite Cloud and Mobile, many are still too focused on perimeter-based security, so they upgrade their firewall to a “next-gen” version, but that is simply providing a false sense of security. This is akin to putting a lock on your front-door, but then not worrying about interior security approaches, or other ingress points that can change over time.

Security teams also need to start collaborating closely with the application development and DevOps teams. Understand their daily habits and workflow and devise ways to seamlessly integrate security into the entire software development life cycle, instead of being the barrier or gate to production deployment, or, worse yet, being bypassed completely.

To overcome the FUD and “analysis paralysis”, security teams need to take a step back and look at the bigger picture. Make an outline of the current overall state of security, come up with a detailed view of what the desired state is, and then map out the list of strategic approaches that enable you to get to that desired state. Collaborate with external resources and challenge the status quo. Don’t take the “because that is how we have always done things” approach. Finally, continue to focus on the “Why?” aspects of your strategic plan.

How can security leaders better address the question “how secure are we”?

As cybersecurity rapidly becomes a Board and CEO level discussion, CISOs will need to be able to answer the basic question of “How secure are we?”. In order to have any chance of accurately answering this, one has to establish a baseline of resilience.

One way to think about and approach this is establishing a cybersecurity “fitness plan”. Just as you wouldn’t decide to run a marathon on a whim, you can’t expect to immediately improve your security posture. It takes a detailed plan and an adaptive set of actions and reactions in order to achieve your goal.

The first step in getting “cyber fit” is to take an overall inventory of your landscape and assets. Where does your sensitive data reside? Which code repositories are the most important? What applications are exposed to the world? Once you have that documented baseline, how can you programmatically track any changes and/or updates to it? In other words, what is your ``rate of detection’’ and corresponding ``rate of remediation’’. That begins to give you an overall ``resiliency score’’.

Frequent collaboration and interaction with the AppDev and DevOps teams will also help you adapt more quickly to any changes. Try to deeply understand their requirements and habits, and be flexible to accommodate them, not rigid and resistant.

How can security leaders better evaluate the security tools they have or are considering?

With over 1200 different tools in the market today, it’s really a challenge to understand which ones are the best to help you achieve your goals. There are a few approaches to both evaluating your current investment, as well as making the correct future investment.

First, once again, it comes down to understanding the overall environment, whether that is on-premises or Cloud. What languages are your developers using to code applications? What is the build and deploy pipeline composed of?

Now that you have a list of environments and assets to test against, you can narrow down your choices based upon market research, peer input, and how well the vendor is aligned with your best interests. Look for ones that take a ``trusted advisor’’ approach, not ones that use scare tactics to entice you to make a rash decision.

Classic A/B testing is often useful as well. Get a trial version of a few different solutions, and then test them rigorously against the same asset. Do they all provide the same level of insight? Does one have more false positives than the other? Use real-world data to back up your decision.

What’s the best way for a security leader to start the process of assessing their current tools?

If you don’t have a comprehensive handle on what you currently are trying to secure, and what you’ve purchased to do that, you need to begin, as I’ve said before, with getting your affairs in order.

Everyone has to start somewhere, and the only good time to start is now, so don’t wait for some arbitrary time or date to begin. Put together an outline of both where you are today and where reasonable checkpoints are along the way.

Collaborate, Collaborate, Collaborate! Learn by walking around and understanding the Dev and Infrastructure worlds. Ask questions that help you establish the “Why?”

In parallel, research what tools, whether open source or commercial, will enable you to move more rapidly while improving security.

Finally, there is no “end state” in Security. You must take a continuous, elastic approach to it.