Do we Really need new tools?
Provocative headline, I know! Let me explain what I mean by that title. As a cyber security consultant, I am meeting customers all the time, which are using a multitude of different hardware and software solutions from different vendors. Many times, they are asking for additional tools, to mitigate an identified risk, or for compliance reasons. Often there are good reasons for these requests but implementing a new tool in an already complex infrastructure is not something that should be approached without trepidation.
Here I am going to bring in one of my favorite frameworks for working with cyber security, CIS 20. CIS 20 consists of 20 different major controls, the first two of which are:
- Inventory and Control of hardware assets
- Inventory and Control of software assets
Unfortunately, many companies/organizations do not have complete insights into these first two controls. First of that leaves the organizations open to compromise, since they will be unable to patch or maintain the stuff they did not know was running in their infrastructures, but they will also be unaware of the complete functionality of these assets. This brings me to the reason for the provocative headline in this article.
What do we have running?
Before we advise our clients and customers to get more tools and hardware, thereby increasing the complexity of the customers infrastructure, we should acquire an overview of the vendors and tools already present in the infrastructure. Any organization will have a multitude of different vendors and hardware running, either because of complacency, but more often because of a lack of a concrete strategy or architecture guiding the buying of these tools and hardware. Having a strategy and/or an architecture in place for the infrastructure needs of an organization will make the infrastructure much easier to maintain. Okay, I got a little sidetracked here, but the point remains!
A concrete example will make my point clearer. I have been doing firewall reviews for customers for some years now. These reviews are aimed at keeping the firewall well maintained and making sure that the rule set is still reflecting the infrastructure and threats that the organizations faces. Almost all of the organizations that I have been doing these reviews for, have bought firewalls with a massive set of features and functions, just to make sure that this gizmo will be able to cover the needs of the organization. Equally often I see that many, to most, of these functions are unutilized, or the staff running the firewall does not know of these functions. IDS/IPS is one of my favorite tools in the cyber security arsenal and most firewalls comes with these functions built in and these are functions that often go unused in the firewalls I have reviewed.
I should say here that the firewall I review mostly are the enterprise ones from:
- Firepower from Cisco
- Check Point
- Palo Alto
All of which comes with a massive set of functionalities for the modern enterprise. This is not a recommendation of these vendors, there are other vendors out there that can cover the needs of a modern enterprise, these are just the vendors I have specialized in, on the firewall side. Back to my point of not needing new tools.
The organization have spent an awful lot of money for these firewalls with a lot of functionality built in but is not using all these functions. If I see that being the case for a firewall, I can safely assume that the same goes for other tools in the organization, even if these tools are not security related. There are three points I would like to make here:
- It is a waste of money for functionality that goes unused.
- It is a waste of the money that goes into buying additional hardware or software to cover tools/functions that money has already been spent on, for instance on the firewall.
- Increased complexity in the infrastructure I never a good thing
So, aside from the first two CIS 20 controls being focused on cyber security, they can just as well be used as a way of saving money in an organization. As cyber security consultants we should be viewed by our customers as trusted advisors and one way of achieving this difficult goal, is by pointing ways of saving money, while at the same time not increasing the complexity of the customers infrastructure. An additional benefit here, is that the staff already on board at the organization is already familiar with the existing technology solutions. No need for additional training or head counts. Will the sales people not become mad if we do not recommend additional sales? Let’s cover that next.
The Salespeople
No, I did not forget the salespeople. Of course, they are focused on selling, it is their job! We as consultants will often be called out to various pre-sales meetings to help coming up with a solution to an identified problem at a customer. Hopefully, it is a customer we already know and have worked for before, thus giving us an insight into their infrastructure and the business needs the infrastructure needs to service. Should we, if we want to be trusted advisors to the customer, recommend additional software/hardware if we know they already have the capability in already implemented systems? No! Yes, there will be salespeople that become mad when we do that, but before returning that anger, let us remember that the salespeople have sales target that they have to meet as part of their jobs and if it is the end of a sales quarter, then they will be even more focused on additional sales, or they might just have a bad day, just like the rest of us. Vilifying the salespeople is a favorite pastime for any technician but remember that without their skills we would not have any consulting jobs to pass the time. So, nurse good relationships with the salespeople, this will help us develop the trusted advisor role with the customers!
Becoming a trusted advisor to a customer is far more valuable than a single sale is. It will result in even more sales down the road because the customer, or organization, will return to us with new projects, because they trust us! A far more valuable position to be in for any vendor, consultant or salesperson.
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.