Research studies indicate that the average enterprise has between 40 and 80 separate security tools, a broad inventory that often leads to multiple security data silos, integration challenges, constant maintenance and tuning, and alert fatigue.
Recognizing the challenges of this situation and the potential market for unified solutions, cybersecurity technology vendors like Cisco, CrowdStrike, Fortinet, Microsoft, Palo Alto Networks, and Trend Micro have been cobbling together security technology “platforms” —integrated product bundles that aggregate areas such as cloud security, email security, endpoint security, network security, SIEM, threat intelligence, and so on.
Hmm. Moving from independent tools to an integrated architecture with a centralized database acting as the single point of truth. Where have we heard this before?
ERP migrations set the stage for platform challenges
We older technologists may remember a similar migration to enterprise resource planning (ERP) in the 1990s.
At the time, large organizations had independent departmental applications in areas such as finance, inventory management, supply chain management, HR, and manufacturing, resulting in disparate processes, separate teams, and no centralized view of the business. ERP systems promised a “central nervous system” for the business, aggregating departmental data into a single, shared database and providing a unified, real-time view of the company’s operations. Driven by Y2K, enterprises raced toward ERP nirvana throughout the decade.
Alas, it wasn’t so easy. ERP migrations were fraught with challenges like incompatible data formats requiring massive ETL and data transformation efforts. Many firms faced long and arduous efforts to customize ERP for their industry and organizational needs. Some organizations botched project planning leading to lengthy implementations and cost overruns. And in their focus on a hasty technology transition, many firms forgot to execute necessary organizational changes like gaining employee buy-in, modifying processes, and training technicians. This led to political strife and even outright project sabotage.
While there’s no Y2K-like sword of Damocles hanging over CISOs’ heads, many security executives are considering security platforms for security efficacy, operational efficiency, and/or financial rationalization. Those still sitting on the fence are frequently persuaded by CFOs to at least consider this option.
5 tips for getting security platformization right
Current trending suggests that in many enterprises, security platform migration is inevitable in the short- or long-term. Given this, CISOs would be well served by carefully studying the mistakes made with ERP and plan accordingly with proven best practices.
Based on my research, here are a few suggestions:
Get executive buy-in and vocal leadership. Successful ERP migrations were driven by clearly defined business goals and passionate executive teams. Similarly, security platform migration should go beyond limited security and/or financial benefits alone. CISOs should prepare a business case demonstrating how a security platform will improve business-critical system protection and deliver cyber resilience to the organization.
Once the board of directors and executives are committed, they should oversee project implementation objectives, provide organizational and employee incentives for meeting success metrics, and visibly cheerlead the effort. For their part, CISOs should continually communicate project progress in business — not just technical — terms.
Focus first on the security team, not the technology. ERP migrations were often impaired by doubtful IT employees myopically focused on their pet technologies or limited responsibilities. Correspondingly, some security professionals will be reluctant to give up their favored tools (i.e., “server huggers”) and individual tasks.
CISOs must win over these naysayers by refocusing them on the overall mission of protecting the organization, and then carefully educate them on how a security platform aligns with this objective. Make sure to support the team with the services and training they’ll need for a successful technology transition and offer team and individual incentives to do so.
CISOs would also be wise to think about folding career development opportunities into their security platform planning.
Plan for project phases, not ‘big bang’ implementations. ERP implementation challenges were often associated with overly aggressive project timelines. This led to project delays, cost overruns, and ultimately business impact.
In one famous example, Hershey’s had an ERP-related system outage during the Halloween season and couldn’t ship products to its distributors. This led to lost market share, quarterly revenue impact, and a decrease in its share price.
To deliver value through a phased approach, organizations should start with a dependency map to understand all the idiosyncrasies and connections of the existing architecture. Clearly map out the future state, including data and workflows, and use this to determine how and where to start replacing tools.
Build an overlay implementation that mirrors the existing infrastructure. Create a test and rollback plan. Determine technical and business metrics — and executive reports — for each phase of the project.
CISOs should follow the adage and consider patience a virtue throughout the project.
Start the technology journey with a modern data pipeline. Once IT teams rolled up their sleeves toward ERP projects, they discovered data inconsistency everywhere. Finance systems referred to a major supplier as Acme Inc., CRM systems used ACME Incorporated, and each system used different customer numbers and billing addresses. This led to lengthy ETL processes to gain data reliability.
CISOs should overcome similar issues by focusing on data pipelining for achieving data quality, consistency, and accessibility. This will help break down data silos and build a single source of cybersecurity truth. A scalable data pipeline will ultimately accelerate the delivery of trustworthy data for analytics and decision-making. Again, this will deliver security and business benefits.
Use the transition for process re-engineering. Too often, organizations tried to force fit existing business and technology processes into new ERP systems, leading to complex customization and political dissent.
To avoid a similar fate, CISOs should use platformization as an opportunity to modernize and automate inefficient and/or manual processes using baked-in security orchestration, automation, and response (SOAR) and AI functionality. Make sure to find ways for removing security bottlenecks to business processes, such as onboarding new users or providing timely reports to business managers.
Overall, CISOs should make process re-engineering part of the planning, testing, and implementation aspects of the project.
Inflection point for CISOs?
It’s worth noting that the migration to ERP systems is often cited as an inflection point, when CIOs went from technical administrators to critical business executives. Prudent CISOs may benefit from platformization in a similar manner.
No Responses