SAN FRANCISCO -- There is plenty of waste that can be trimmed from a security portfolio, but security admins aren't exactly sure how to get the job accomplished.
That was the overarching theme at a peer-to-peer discussion at the 2015 RSA Conference on Tuesday. Wendy Nather, research director of information security at 451 Research LLC, asked the room full of CISOs and security admins how many of them believed their organization had something to delete from the security cache; nearly every hand in the room shot up. But when it came to answers on how to accomplish this, the answers didn't come as quickly.
Nather, however, drew a few conclusions from the discussion that could help enterprises start down a successful path to debloating security portfolios.
Shelfware is one of the most obvious things to get rid of -- that is, unused technology left over from either mergers and acquisitions or forgotten projects of yesteryear. If enterprises can eliminate these unused tools, the resources dedicated to them can be better applied elsewhere.
Cutting overhead is also key, Nather said. Consolidating both technology sprawl and vendor management can be highly beneficial. One attendee from a real estate firm noted that his organization reduced vendor sprawl from a total of 42 to three through outsourcing. This cut the company's annual security budget by 28%.
A CISO from the insurance sector discussed how his organization had more than 50 security tools on hand that essentially do the same thing but were never eliminated nor consolidated because some had features that were "kinda cool" and set them apart from the others. His company is currently looking to reduce this sprawl.
Keeping a regular inventory of its security portfolio was one way a security admin at a retail firm helped trim waste. By building a comprehensive roadmap of her organization's security tools, organized by capability, she found and eliminated a number of "forgotten" tools. She also noted that sometimes products in place had not been properly updated to take advantage of new features. It is possible, she said, that if an organization builds an inventory of technologies and understands their capabilities completely, resources can be saved and investments in new tools avoided.
Nather also noted the importance of keeping up with evolutionary changes. As many attendees noted, network-centric tools simply can't effectively handle today's dispersed mobile environment. One attendee noted her organization of 350,000 employees -- many of them road warriors -- simply cannot rely on traditional perimeter security; for them, protecting endpoints and email proved far more effective at reducing threats.
Understanding technology prior to adoption -- what an enterprise must do on an ongoing basis to maintain upkeep and effectiveness -- is also critical, Nather said.
In the RSA Conference keynote address, RSA President Amit Yoran called SIEM a moneypit. While the majority in Nather's discussion agreed SIEMs are costly, one participant pointed out that SIEM isn't a set-it-and-forget-it technology, nor does it simply spit out solutions to problems. However, with the right expectations of what must be invested in the technology, SIEM can be beneficial.
"Every tool you add to your portfolio, that's an additional learning curve for whoever is running it," Nather said. "If you don't have enough resources to begin with, it ends up being shelfware."
Nather and the room of peers said that oftentimes tools cannot be eliminated -- because of compliance or investment -- but dedicating the bare minimum of time and resources to particular tools, and reducing use of them, may be an answer.
Customization also helps, one attendee said. His insurance organization adopted a single multifunction tool that offered remote control, patch management, encryption and other functions. Once the tool was adopted, his security team found that building their own code and scripts for the tool helped them achieve more actionable and useful information.
Throughout the discussion, it became clear that changes in security portfolios were often difficult without the buy-in of enterprise leaders. Making sure each tool has both a business justification as well as a security justification is critical to efficient enterprise security portfolios. It is also one of the best ways enterprises can achieve change and ultimately trim waste. This, Nather said, often goes beyond just mitigating risks; it also includes other business benefits, such as cost savings.
"It's the spoonful of sugar that helps the medicine go down," Nather said.
Here's what you need to know for managing security spending