Dive Brief:
- Gartner analysts are calling for organizations to adopt a "minimum effective toolset" for enterprise security, using the fewest technologies required to observe, respond and defend against threats.
- It's a plea for vendor consolidation, which three-quarters of security leaders are advocating for or working toward, Gartner data shows. Yet, Gartner actually takes a lot more calls related to exploring new technologies than they do about consolidations and reductions, said Leigh McMullen, Gartner distinguished VP analyst, speaking at the Gartner Security & Risk Management Summit in National Harbor, Maryland on Monday.
- People have a seeking mindset, which "causes us to buy or acquire before we're quite sure we know whether there will be truly additive value to the tool," McMullen said.
Dive Insight:
Gartner drew on myth busting for its keynote, catchy branding that will get the conference’s more than 4,300 attendees discussing a common theme. It's also a preview to the Tuesday keynote, when the original MythBuster Adam Savage takes the stage.
Monday's keynote drove home the sentiment that less is more in security. More data, cybersecurity professionals or controls will not, in fact, lead to more protection.
"The technological rats' nest that we all have in place isn't just you good folks chasing the next bright shiny thing," McMullen said. "A lot of the time in cybersecurity, we've inherited architectures we didn't design and you just can't clean it all up at once."
"A lot of cybersecurity technology is driven by the technology choices of other parts of the enterprise," he said. "So sometimes what looks like your acquisition sticker was just us plugging holes we didn't create."
Vendors are trying to make it easier for organizations to embrace centralized security solutions by weaving security into core products. Microsoft's security revenue doubled in the past two years as customers consolidated their security stack.
Even though CISOs and IT decision makers have access to additional funding to spend on cyber, they are focused on maximizing the value of their existing security tools, Nuspire research found. The goal is to create a more streamlined and simplified security environment.
The problem, as Gartner identified, is making sure companies actually consolidate and simplify their stack.
One area that may help is changing the language around vulnerabilities and what organizations need to respond to with vigor. "We say exposure here rather than vulnerability deliberately," McMullen said. "This is part of that minimum effective mindset switch."
"There are an infinite number of possible vulnerabilities out there,” he said, “but only a finite amount of exposure.”