The State of Data Protection: Future-Proof Your Information Security Technology Investments

Jeremy Wittkop, CTO

02.12.2020

For more information on this important topic, please view InteliSecure’s on-demand webinar Navigating the Changes at Symantec/Broadcom

 

What is your plan for ensuring the security of your critical information assets—not just now, but into the future?

Many organizations bank on technology investments, and it’s true that sound, strategic use of technology is an important pillar of information security. However, if there’s anything we should learn from Broadcom’s acquisition of Symantec, it is that there is a very real possibility that changes in your chosen vendor’s strategy may require you to re-evaluate your investments at some point. Many people thought Symantec was too big to be acquired, and many people based their decision to buy Symantec products on their belief that an acquisition wouldn’t happen. But any security company can be acquired at any time.

Note: In becoming part of Broadcom, Symantec is not dying, it’s just different. I have had some very productive conversations with Broadcom leadership in the past few weeks. They are investing in their technologies, but the way they run their business is fundamentally different than Symantec’s was. Symantec was largely focused on acquiring new clients, which drove them to develop and acquire features that would appeal to those new customers. Broadcom is focused on developing products for the clients they have, and they’re less interested in new customer acquisition. This means Broadcom’s developments are likely to be less flashy and more focused on stability, scalability, and reliability.

When planning for the future security of your organization, it is critical to ensure disruption to any one vendor will not cause material impacts to your security programs. Technology providers can be acquired, announce a product end-of-life like RSA did with their DLP product, or stop investing in development of your product.

Regardless, you must have a way to navigate industry changes. The only way to effectively insulate yourself from changes in the vendor landscape is to build a data protection program that transcends the technology.

Data Loss Prevention Goes Beyond Tech Tools

When Information Security leaders ask me how to keep up with technology shifts, I tell them:

Do not build a program to support a technology. Build a program to solve a business problem and select a technology that best compliments your program.

If you follow this advice, you can change technologies at any time with little impact to your overall program.

This might be easier said than done in some organizations. Too often, organizations don’t have any data protection program at all. Many do have a program, but it is built around features of a technology rather than starting with what they’re trying to accomplish and matching the capabilities of the technology to problems they’d like to solve.

The “tech first” mode of data protection is problematic because no information security tool can do everything your company needs. In addition, there are problems that can’t be solved yet because the technology is not capable.

Instead, start with understanding your business requirements, what critical assets you must protect, and your goals for ensuring data security. This is the only way intelligently design a program and communicate your needs to a vendor’s product management group. You should do this for every security discipline, not just data protection, but it is an absolute requirement for data protection to be effective.

Invariably, there will be capabilities that you lose and some that you gain when switching products. The resulting impact of those capabilities on your program should inform your decision on whether you actually switch technologies or not. Of course, in order to execute any of the above, you must build and operate an effective Data Protection program

Three Big Questions

Three important questions come up frequently when I discuss this topic.

What are your thoughts about the dynamic nature of the threats landscape and the Information Security industry as a whole?

While the threats we face are certainly dynamic and increasing in sophistication, the industry as a whole has been fundamentally the same throughout its history. We have a proliferation of products and vendors, and each product is designed to stop something very specific from happening. In order to effectively handle the threats we face today and those coming tomorrow, we need a major evolution in our approach to Information Security as a whole.

A technology approach that simply adds a new product to address each new problem will never be able to keep up with the threat landscape. Adversaries are human, and there is a sophisticated illicit marketplace where attackers can specialize and offer services and technologies in their specialties to those that want to launch an attack. That specialization leads to a significant increase in sophistication in both attackers and attacks. Tactics, techniques, and protocols are adapted daily in an effort to circumvent technologies that are designed to stop specific behavior patterns.

Trying to anticipate an attack pattern is a cat-and-mouse game that organizations around the world continue to lose. One of the CISOs I have worked with in the past sums this game up well by saying “The farmer has to mind the entire fence; the jackal only needs to find one hole.”

The evolution of information security requires that we embrace technologies and techniques focused on solving multi-faceted problems. We must design programs that monitor people, systems (on premises and in the cloud), and data. And we need to embrace products focused on orchestration, aimed at coordinating efforts between point products in order to effectively manage risk.

I think we are on the precipice of such an evolution, and what is going on at Symantec and McAfee is symptomatic of the coming shift in the Information Security industry. To navigate these changes, it’s important to ask the following questions every time you evaluate a technology solution.

  • Does this technology allow you to automatically adapt your responses based on risk factors?
  • Does this product provide a control plane that allows multiple products to work together and coordinates responses?
  • Does this product converge capabilities that were disparate in the past into a single console or control plane?
  • Does this product make other products in the environment smarter, easier to operate, or more effective?
  • Does this product work without signatures or rules to identify specific malicious behavior or technology?

If the answer to one or more of these questions isn’t “yes,” it is likely that the product you are being sold will not help you build a forward-looking program. Few legacy technologies pass this test.

Innovations in technology make this an exciting time to be in Information Security. However, in order to drive the industry in the proper direction, organizations and security leaders have to demand open APIs from all of their vendors and reject multiple solutions from a single vendor that are superficially “integrated” but do not have meaningfully coordinated capabilities, unified software packages, or a single console. It should be noted that these types of deeper integrations take significant time; beware of software companies that do not make this level of integration a priority in their road maps after acquiring a technology.

What stresses can this dynamic environment put on companies and company leadership?

The state of Information Security today and in the near future will challenge deeply ingrained security dogma and will require a new way of thinking. This can be disturbing to many in the security space who are comfortable with the status quo. However, cybersecurity is going more mainstream, business executives who are security-aware can be helpful in making the transition.

A primary hurdle that savvy leaders can overcome is the question of ROI. It drives me crazy when I hear, “You can’t measure ROI for a security investment.” This is utter nonsense. It isn’t true now and it has never been true. It may be true that you cannot derive an exact value for ROI of a security program, but that does not mean you cannot measure it. There are many business calculations that rely upon reasoned assumptions and educated conclusions without exact certainty.

There are very few areas of business in which it’s OK to invest blindly. Security has been a blind investment for too long. It is time that company leadership step in and take an active role in deciding which risks are being mitigated, transferred, avoided, and accepted.

I invite CFOs and CEOs to scrutinize their security programs like they scrutinize other spending in their environment. Doing so will help to ensure technology isn’t being purchased for technology’s sake but is actually delivering results. This approach will also emphasize building a program to drive results rather than relying on technology alone.

How can company leaders ensure they and their organizations are resilient enough to navigate the data protection landscape?

First, develop a strategic data protection program that defines the requirements for the people, processes, and technologies involved and that supports a clear risk-mitigation objective.

Building such a program first and then selecting technologies that support the program will mitigate the majority of the risk associated with a shifting technology landscape. I expect far more change in Information Security as this is still a relatively young space. It will continue to grow and evolve over the years. Building an effective, strategic program that matures over time is the best way to ensure the business objectives and technologies are aligned.

Second, reevaluate your relationship with service partners. If you are selecting a security service provider, vendor neutrality should be your first evaluation criterion. A service provider that is not vendor neutral provides little value to the client; often, they are acting as a contractor for their supported vendor. They can never be an objective advisor for their clients.

If a service provider is tied to a particular technology, they know that product is going to be the answer before you even ask the question. Working with a vendor-neutral service provider is in your interest because they can help you select the right technology, keep you abreast of what is changing in the landscape, and if a switch is necessary, help you execute that switch with minimal disruption.

Similarly, it is dangerous to get your services directly from the vendor. A technology vendor knows how to enable their technology. However, they will rarely have capabilities to design a fully mature and strategic program that transcends their technology. It is fine to use them for technical implementations and integrations. For emerging technologies, the vendor may be the ideal choice for the technical implementation. However, using a technology vendor for program design work is often a short-sighted approach.

Third, demand transparency into the expertise of your service providers. Many organizations buy all of their technology from a Value-Added Reseller (VAR). This relationship can be beneficial because a VAR can transact a variety of technologies for a client. However, not every VAR has the ability to work with specialized services partners that will deliver the value their clients expect. Ask your VAR who will be delivering the services and ask to meet the service provider. Some VARs have very good services partners. Others try to deliver services themselves or work with service providers because they have an existing relationship, not because they provide quality services. As technologies get more complex and more converged, the most important factor in whether an initiative succeeds or fails is the services provided to design the program and implement the technology.

Working with an experienced vendor-neutral managed services provider further insulates an organization from risk. Managed services clients consume the outcome of a program rather than interacting directly with the technology, so technology changes can be made with minimal disruption.

Put Your Business First When Planning Your Data Protection Program

I have always advised clients to treat technologies like tools in a toolbox. Good carpenters don’t need a specific hammer to do their job; they simply need a hammer.

The same can be said for individual capabilities inside a well-functioning data protection program. As long as the key capabilities are congruent, it does not matter which brand of technology is in use. The key when evaluating alternatives is to understand which capabilities are critical to your ability to execute your program—and evaluate those capabilities as you evaluate technologies.

Technologies and companies will come and go; that is the way of the world. Instead of choosing a vendor that you think will be around forever, instead choose a vendor that can do what you need right now and preserve your ability to switch technologies any time they no longer suit your needs.

 

Get an Objective Look at Your Future Security Strategy

InteliSecure is one of the few truly vendor-neutral managed data protection service providers, and we are invested in staying abreast of industry changes to ensure the success of our clients’ data protection programs. If you are evaluating your options, I encourage you to view our informative, on-demand webinar Navigating the Changes at Symantec/Broadcom. And as always, feel free to connect with our seasoned experts.