For many companies, it is security budgeting season. At this time, in addition to planning for the year ahead with a consolidated budget, CISOs are also being tasked with one other thing – simplifying security operations.
This is according to Jason Clark, Chief Security Officer at Netskope (cloud security provider). Clark was also the first ever CISO of the New York Times.
Clark tells Digital Journal he has been speaking to dozens of CISOs/CSOs in the trenches each month. According to Clark, these business leaders are each saying the same thing: “where should they start?”
Expanding on this, Clark says: “Nearly every CISO that I’ve had a conversation with lately has had the same top of mind priority: the simplification of security operations. They are being forced to simplify security, as budgets consolidate and the tech stack becomes too complex for long-term sustainability.”
Clark adds that there are a few areas that he would recommend evaluating first. These are:
Security’s greatest enemy is complexity
Clark says: “Therefore, the first area to focus on is the simplification of processes. In many cases, there are too many security controls in place without thinking about the resulting friction it puts on the business at large. By simplifying processes, you also eliminate a few of the unnecessary controls.”
Organizations should prioritize investing in the next generation of talent
Clark notes: “The most efficient, effective security programs hire young talent and develop them over time. At Netskope, we hire high school and college graduates, and provide mentorship and shadowing opportunities so they quickly learn and become more productive on the job.”
Focus on the capabilities versus the technology’s domains
Clark observes: “When evaluating the tech stack, it’s important to focus on the capabilities versus the technology’s domains, with the end goal of driving consolidation on platforms. For example, organizations can consider consolidating to one SASE solution collapsing technologies like DLP, VPN and SD-WAN (among others) into one secure access solution. This drives reduction in product and operating costs, but also significantly reduces risk because one ‘brain’ is driving all user and device access to all applications and data, regardless of where the users are located.”
Clark concludes with the advice: “Overall, I’m finding the best, most simplified security programs have four foundational solutions as the core of the security program, and those are: Secure Service Edge (SSE); Identity and Access Management (IAM); Security Orchestration, Automation and Response (SOAR) / Security, Information and Event Management (SIEM); and Endpoint Security.”
He adds: “Once the core of the security program is established, CISOs can address any missing gaps in each domain, with the best practice of spending the most budget on the largest or fastest growing risks within their business. For instance, many CISOs are moving 30-40 percent of their firewall spend to new capabilities because the firewall does not see that traffic or cannot decode cloud traffic. Many are investing in API security to fill a fast-growing risk. I’d also advise when filling any gaps to Shift Left in order to build security early on into the software pipeline. It costs significantly less to be proactive versus reactive, and this is how you get leverage in your application security program as well as in engineering.”
Clark’s closing recommendation is: “It’s no longer about checking the box to comply with security standards that were built some 20 years ago. It’s now about security simplification while remaining effective, proactive and cognizant of budget.”
