Remember those days, pre-pandemic, when you thought your security scope was complex? But now, with employees at home, new video and collaboration apps being rolled into daily workflows, and less physical oversight of devices and access, we’re all longing for the seemingly airtight security of 2019.
The COVID-19 crisis put many of your security risks into overdrive, but those risks have been increasing for years. Businesses are relying more heavily on digital services and cloud-based systems, and the pandemic is adding fuel to that technology transformation: the IDC COVID-19 Market Impact Survey 2020 found that 56% of organizations are “scaling up their online presence” in the search for new revenue. Before the pandemic, businesses were undergoing digital transformation at their own pace. Now, the pandemic is forcing businesses to seek new online revenue channels, which accelerates and adds urgency to your digital transformation efforts.
As your technology landscape expands, workers are also relying on their own devices, adding additional vectors for exploitation. Externally, customers and partners want easier, faster, more modern ways to work with your company, opening your brand and business to even more potential risks. So security teams are being asked to protect a larger landscape with fewer resources, yet do it faster and more effectively. Using the same old methods, processes, and tools is clearly not going to maintain pace with this ever expanding need.
Attack Surface Up, Resources Down
But now you’re also faced with the shrinking budgets, streamlined teams, and dwindling resources forced due to the pandemic. Gartner recently found that nearly two-thirds of companies are making “significant cuts” this year due to the coronavirus. And while experts suggest ways to deal with those cuts, doing more with less will be the new normal for the foreseeable future.
Security teams are now faced with two options: maintain the status quo while struggling to keep up with threats or fundamentally shift how you think about security to increase speed, agility, and impact.
One area of fundamental transformation for security teams is in consolidation of both apps and vendors. Simply slashing apps and services based on cost isn’t the best solution, however. But there is a logical way to evaluate your security stack and start to make some steps towards balancing your security needs versus the benefit of each app.
Optimizing Your Security Stack
First, you may be paying for some tools that return little value or are rarely used — both in security and across your entire organization. Consolidation across your business reduces the threat surface and saves money. McKinsey says up to “30% of IT spend can be saved” by, among other things, “decommissioning applications with little usage”.
That same concept can be applied to your security tools as well. It’s been reported that mid-sized businesses use up to 60 security tools, while larger enterprises can have well over 100 security tools deployed. There is surely much overlap across so many tools aimed at just security, but there’s also still some likely gaps those tools aren’t able to cover. Each point solution adds cost, but also consumes security resources to manage it, make sense of the data, and parse those findings against those of dozens of other, potentially disconnected tools.
Increasing effectiveness while reducing both spend and solutions can be found by working with favored vendors to expand their services and solutions within your security apparatus. Better yet, multiple existing solutions can be replaced with a single, more modern, more impactful solution.
Achieving Greater Value with Fewer Vendors
Consolidation can save money, reduce complexity, and open up new areas of benefit and efficiency. It’s a trend many security teams are taking advantage of as they experience the double-whammy of budget pressure and increasing threat surfaces.
But reducing the number of point solutions isn’t a solution in and of itself. Those systems were considered necessary by your team at some point, so while eliminating them takes away a resource and budget burden, it does open up the possibility of some things slipping through the cracks.
A holistic approach to security turns your focus towards reducing your overall risk, so looking to close gaps as you also consolidate tools and vendors. Every tool and its benefits should align with a significant risk in the security framework. Furthermore, each tool should reduce overall risk, show a quantifiable reduction of risk, and be capable of sustaining that risk reduction.
If you already have a trusted security vendor, start working with them to evaluate how their other solutions and services can help you improve your security and reduce risk. You may find that you can eliminate several other tools and vendors while also getting more insights that help you save time and money.
For example, COVID-19 added additional stressors to security teams as criminals saw an opportunity to benefit from the resulting chaos. Starbucks added HackerOne Advisory and Triage Services to help fill resource gaps left by reduced staffing. Verizon Media launched a new HackerOne Bounty program to add coverage to their massive, multi-brand attack surface.
Identifying and assigning ROI to the multitude of cybersecurity tools in your ecosystem while understanding your attack surface is an enlightening exercise, especially as new security gaps are likely widening during any digital transformation. But it requires more effort from your already overtaxed security team. Hacker-powered security solutions can help identify the gaps and consolidate point-solution tools into a single platform for easier management and measured ROI.
To learn how HackerOne has helped companies like Starbucks and Verizon Media improve security through consolidation, simply get in touch with our team.
Learn Even More:
Hear how George Geshow, Chief Security Officer at Sumo Logic, and Justin Berman, Head of Security at Dropbox, are transforming their organizations’ security efforts in the on-demand webinar, Incorporating Pentesting in Your Overall Security Strategy.