When I was the CISO of a large global bank, we had a billion-dollar budget and 1,500 employees for security. But even those resources weren’t enough to harden security and sufficiently protect the business from evolving threats. Even though we had deployed a wide variety of critical security tools, I frequently received requests for more budget and more people.
The complexity of managing the environment compounded our challenges. As we added more tools, we had to spend even more money and hire more people to manage them. It was increasingly difficult to maintain visibility and control over our entire environment. Now, this was a large business in the highly regulated banking industry, and needed to invest deeply in security. Few organizations have the same level of resources available. But many—from small startups to the largest enterprises—have similar problems: they face a wide range of security threats on top of the challenge of maintaining visibility and control.
My experience has led me to rethink some of the traditional strategies and approaches to security. For example, I’ve learned you can’t spend your way out of complexity. But just as importantly, I learned that regaining control over complex, distributed environments requires getting off the security treadmill and accelerating efforts toward consolidation.
Get off the security treadmill
Risk multiplies daily — to no end. At the same time, we lose visibility and control to growing complexity as the enterprise environment expands. Where is this complexity coming from? Today, security teams must protect their data centers and address threats facing public clouds, SaaS, and even the public Internet. We’ve all tried to handle the evolving threat landscape with point solutions like web application firewalls (WAF), distributed denial of service (DDoS) mitigation, cloud access security brokers (CASB), intrusion detection, and others. But managing these solutions and their vendors adds to the complexity problem — every technology deployed must be learned and mastered to sustain operational resilience.
How do you get past this complexity? The first step is acknowledging that you can’t continue with the status quo — it’s too expensive and it leaves you open to too many risks.
Accelerate consolidation
I've found that maximizing investments with vendors in your existing security stack via consolidation — i.e., eliminating underutilization and redundant technology — goes a long way toward reducing complexity and restoring control. If you can consolidate 15 security products into one platform, you can improve security efficiency, lower costs, simplify troubleshooting, and reduce risk. I’ve experienced how moving from multiple products to a single unified platform can yield up to 50 percent in operational savings — savings that I could then invest back into the business.
Simplicity is key. In nearly every organization I have worked in, numerous security tools have been poorly configured. With a smaller set of products, your team can spend more time understanding their capabilities and optimally configuring them. Ultimately, this closes the gaps left by multiple-point solutions, reduces the time to detect problems, and cuts both product and operational costs.
Don’t let consolidation scare you. You’re not giving up best-in-class solutions, you’re gaining a best-in-class platform. Remember, even best-in-class point solutions have limits and vulnerabilities. Early in my tenure as a CISO, my team used a best-in-class WAF, but we still experienced a denial-of-service attack. Why? Because the WAF wasn’t designed for that type of threat. The team thought the right technology was in place, but it wasn’t.
Vendor consolidation does not mean giving up flexibility or scalability. You can implement a connected, composable platform that has flexibility for change and the scalability to expand as your networks expand.
Integrate your domains
Consolidation doesn’t have to stop with security tools. In fact, to truly reduce complexity, lower costs, and strengthen security, you need to integrate multiple domains in your IT environment, implementing a unified approach to security.
Historically, the teams responsible for on-premises networks, web security, public cloud services, and other areas have been siloed. And in my experience, that means there can be significant inefficiency. Disconnected tools and processes can also leave you vulnerable to breaches.
When you unify domains, you can start applying consistent tools and processes across your organization. You can also more easily share threat intelligence so everyone is aware of the latest threats before they do any damage.
Unifying security might require a significant organizational change — especially when you have teams entrenched in particular domains. However, breaking down the walls between domains can have a positive impact on your company.
If you’ve already launched an initiative for consolidating tools or domains, it’s time to speed it up. The faster you can simplify security, the more easily you can increase control and decrease risk.
Enterprise environments will continue to be complicated and threats will keep coming. However, implementing point solutions for security will only add management complexity and diminish your control over those environments. By adopting a radically new approach — with a unified platform that consolidates tools and connects all your domains — you can regain control, lower costs, and reduce the risks of securing an expanded network environment.
The Cloudflare connectivity cloud helps organizations regain control and visibility over even the most complicated enterprise environments. It is a unified, intelligent platform of programmable cloud-native services that provides a single, simplified interface to facilitate vendor consolidation. In addition, it offers a composable, programmable architecture and integration with all networks. By enabling you to move away from point solutions, Cloudflare helps strengthen protection and minimize the complexity of multi-cloud security.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Grant Bourzikas — @grantbourzikas
Chief Security Officer, Cloudflare
After reading this article you will be able to understand:
How complex the network environment has become
Budget alone won’t solve for loss in visibility and control
How to rethink traditional strategies and approaches to security
How consolidation and connectivity play a key role in a secure future