It should be central to the role of the CISO to build a vision and a product strategy, and drive the decluttering of cybersecurity landscapes
Every year, as we approach conference season, I can’t help but being amazed by the monumental number of cybersecurity products, services and vendors.
I have written at length about this since 2019 and I must admit I cannot see any form of consolidation over the horizon. I still believe this is not a sign of a healthy marketplace.
As a matter of fact, the situation is getting worse, as countless startups have jumped on the AI bandwagon over the past two years.
Many cybersecurity vendors appear to be reasonably successful, at least at attracting funding from investors – helped by the accumulation of cyber-attacks over recent years and possibly the investors’ rush towards AI-based products.
But increasingly, I have been asking myself: Who is actually buying all those products?
Of course, the traditional “box-checking” market will always be there: Many products are simply purchased, without proper procurement scrutiny or a competitive selection process, in response to audit observations or ahead of a regulatory inspection; this market has always existed and is not showing any sign of disappearing.
But some segments have become incredibly crowded over the years (GRC, IAM), so how can you be heard and scale on those markets without a clear, distinctive and credible message, strong enough to carry you through to a sufficient volume of sales?
In fact, in many cases, when you look in detail into the marketing storytelling those vendors produce, you realise that the business problem those tools are meant to solve is rarely explicitly defined.
In some cases, the simple fact that those tools have to solve a business problem, does not appear to be understood, as their marketing storytelling consists of an avalanche of technical terms, rarely intelligible to anyone outside the specific field where the tool operates.
It looks to me like many of those tools are simply designed by technologists for technologists.
Invariably purchased as point solutions by the team leaders in charge, they simply aggravate the proliferation of cybersecurity tools and the problems this is creating for large enterprises, now operating with tens of different “solutions”, many of them designed to address nothing else but a particular problem arising in a particular context.
All this complexifies security operations across the board, from compliance reporting to incident handling, forcing security teams into complex manual processes as nothing is never properly joined up.
It pushes up costs as more and more manual resources are required to scale up those processes in the face of escalating threats, creating a monumental skills gap problem across the industry, as nothing is never properly addressed in terms of automation, tools integration or process re-engineering.
That’s the harsh reality behind those trade shows: Even if most of those tools serve a purpose, their raw accumulation is at the heart of the inability of large enterprises to deal effectively and efficiently with the evolution of the threats, because after several decades of such accumulation, it has forced them into unmanageable, inefficient and unscalable operational security processes.
Continuing to buy more tools is unlikely to help, and until those dynamics change, things will simply get worse.
The time has come to move away from the raw technical handling of each and every cybersecurity problem in isolation of all others, and this should be seen as a matter of strategic direction for many cybersecurity practices in large firms.
It should be central to the role of the CISO in those firms to build a vision and a product strategy, and drive the decluttering of cybersecurity landscapes and the simplification of operational processes.
Automation will be key in this, as long as the simple principle we relayed and supported years ago is followed: “For every new tool, remove two legacy tools”.
More than ever, that makes tremendous sense, and it should be at the heart of any approach to AI-based cybersecurity solutions, as they develop and mature.
About the Author
JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.
