Highly dysfunctional risk-based IT ecosystems

As a CISO, I’m looking for security solutions that are integrated, reducing the number of vendor interfaces, eliminating the number of consoles and backend databases I have to provision and manage and potentially reducing headcount once fully implemented and matured. They don’t have to be best of breed. The solutions I seek are not just technology focused but those that incorporate people and process into a cohesive risk-based ecosystem. Just what is a risk-based ecosystem?

In short, a risk-based ecosystem is defined as all the members of the integrated community and the physical environment in which the community exists. Data moves around the ecosystem in loops. This community together with its environment functions as a unit. All ecosystems are open systems in the sense that actionable information is transferred in and out. 

When I look at the large companies with an information security focus such as EMC, Symantec, CA, IBM and Cisco non-inclusively, I find many of the components of a risk-based ecosystem. Unfortunately, the ecosystems as delivered are highly dysfunctional. There is little integration amongst members of the ecosystem as offered by these companies. Purportedly, they are moving that way. In fact, Art Coviello indicated at the RSA Conference that there would be no standalone security companies within 3 years. I welcome that but have worries surrounding the stifling of innovation and wonder what that statement really means since I’m a bit slow on the uptake.

So, will the large Pac-Man-like players focus on acquisition to meet that goal or will they actually start to integrate the tools?  Can they sustain both? I think they will try but one will suffer and that is usually integration. I want full integration sooner not later so I can manage all members of the risk-based ecosystem with one console and aggregate all the data in one database. I want to reduce the number of vendors I deal with and establish strategic partnerships with a few visionary innovators.

The other issue I have is what they are requiring me to do today and in the foreseeable future. That is to deploy more hardware, more software, increase my implementation timeframes, train and re-train staff, and wait for several months if not years before I can bleed the functionality out of the ecosystem members. This increases my cost basis and continues to feed the outdated, outmoded beast of continued hardware and software installations, maintenance, upgrades, patches, and management/staffing requirements since the ecosystem is dysfunctional. As a matter of fact, it cannot even be considered an ecosystem. In most cases, it is a hodgepodge of tools, appliances, servers, databases with different consoles, separate databases, and in some cases completely different operating units managing the tools.

Is there a model that can remove my costs and serve as the risk-based ecosystem I so desperately seek? I place my bets on the Software as a Service model as the antithesis to the large, cumbersome hardware and software deployments, management, maintenance, and general daily care and feeding. As long as the data is secure in transit, in storage, in processing, why do I care where the infrastructure is deployed and managed? I won’t have to manage any of it but mine the data and, my implementation timeframes should shorten significantly. Who is going to take me to the risk-based ecosystem I seek?