Vendor consolidation and hacker-powered programs can reduce costs and improve cybersecurity, argues this bug bounty expert.
Remember those pre-pandemic days when you thought your security scope was complex? Now, with employees working from home, new video-and collaboration- apps being rolled into our daily workflows and less physical oversight of devices and access, it seems like we are all longing for the seemingly-airtight security of 2019, right?
For many organizations, it may seem that the COVID-19 crisis has put security risks into overdrive, but much of that risk had actually been on the rise as businesses gradually shift towards digital services and cloud-based systems. The pandemic has only sped up the realization of that technology transformation.
Subsequently, security teams are asked to protect a growing attack surface but often with fewer resources; and they must do it faster and more effectively. However, using the same old methods/processes/tools is clearly not going to maintain pace with this ever-expanding need. And remember, this is just within the context of digitalization before COVID-19.
Attack surfaces up, resources down
The pandemic has forced organizations to deal with shrinking budgets, streamlined teams and dwindling resources. In May, research firm Gartner found that nearly two-thirds of companies are making significant cuts this year due to the economic consequences of the pandemic. While experts can suggest ways to deal with those cuts, doing more with less will be the new normal for the foreseeable future.
Security teams are now faced with two options: maintain the status quo while struggling to keep up with threats; or fundamentally shift how they think about security. Vendor consolidation is one way in which security teams have been coping. But simply slashing apps and services based on cost is not always the best solution. A better approach is to look at the problem more pragmatically by starting with an evaluation of the existing security stack first and then taking steps towards balancing security needs with the benefits of each app.
Here are some best practices that I recommend if your security team is considering cost cutting and vendor consolidation:
Optimize your security stack
First, you may be paying for some tools that return little value or are rarely used—both in security and across your entire organization. Consolidation across your business reduces the threat surface and saves money. In fact, McKinsey asserts that up to “30% of IT spend can be saved” by, among other things, “decommissioning applications with little usage”.
That same concept can be applied to your security toolbox as well. Using a suite of fragmented security vendors actually limits an organization’s ability to scale security, and you end up paying full price for many different solutions that could be accomplished more efficiently with fewer solutions.
It has been reported that mid-sized businesses use up to 60 security tools, while larger enterprises can have well over 100 security tools deployed. While overlap is more than likely, gaps are still inevitable with the ever-evolving attack surface.
Each point solution adds cost, but also consumes security resources to manage. Moreover, overspending on a patchwork of different solutions reduces available budget for more critical security priorities. The end goal of consolidation is to increase effectiveness while reducing both the spending and the number of solutions. The only way to reach this goal is by working with favored vendors to expand their services and solutions within your security apparatus.
Better yet, replace multiple existing solutions with a single, more modern, more impactful solution.
Achieve greater value with consolidation
Consolidation can save money, reduce complexity, and open up new areas of benefit and efficiency. It is a trend many security teams are taking advantage of as they experience the double-whammy of budget pressure and an increasing threat surface as a result of digitalization and the pandemic’s impact on IT and security projects.
However, reducing the number of point solutions is not a solution in and of itself. Those systems were considered necessary at some point, so while eliminating them takes away a resource and budget burden, it does open up the possibility of some things slipping through the cracks.
Every tool and its benefits should align with a significant risk in the security framework. Furthermore, each tool should reduce overall risk, show a quantifiable reduction of risk, and be capable of sustaining that risk reduction.
If you already have a trusted security vendor, start working with them to evaluate how their other solutions and services can help you improve your security and reduce risk. You may find that you can eliminate several other tools and vendors while also getting more insights that help you save time and money. Greater efficiencies can be realized when organizations shift towards platform-centric solutions, with access to multiple tools as opposed to a single tool.
One area that is ripe for vendor consolidation is application security (AppSec) testing. Most organizations end up spending too much on security testing by utilizing a confusing array of security vendors. It is best to work with one vendor to address an organization’s security testing and compliance needs and to simplify vulnerability management. This will help reduce total security spend and help you do more with less vendors.
We are thereby led to the consideration of hacker-powered security testing: it allows organizations to address all of their security testing and compliance needs with one vendor. Hacker-powered security programs and services such as bug bounty programs, hacker-powered penetration tests and vulnerability disclosure programs all utilize the global hacker (or security researcher) community to find unknown security vulnerabilities and reduce cyber risk.
In all of these programs and services, talented hackers work to identify vulnerabilities before they can be exploited by criminals. It is a fast, structured, and proven model for crowdsourcing the right expertise, applying it when and where you need it, and paying only for results.
The key benefit of hacker-powered security is that it also allows security teams to consolidate AppSec testing down to one vendor to reduce the time spent on vendor management and also integrate with existing systems and processes to minimize operational overhead. And if an organization is worried about security gaps, they can also extend security coverage by pairing their bug bounty program with a VDP that offers organizations a cost-effective approach to harden the entire attack surface by reducing risk without additional resources.
Finally, hacker-powered security also provides insights into an organization’s overall security posture that can help security teams allocate spending depending on where vulnerabilities are uncovered.
By placing greater emphasis on vendors that can address multiple security concerns, organizations can reduce costs while improving their security posture.