Does it actually make sense to have multiple cybersecurity point solutions that serve the same purpose? Or does that added complexity just weaken your overall security posture?

Security Strategy & Roadmap Threat Intelligence & Incident Response

2.1k views3 Comments

Sort by:

Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech2 years ago

I have used different solutions when it was better for geo location needs and the teams. Some vendors solutions just don't have the needed support in all locations.

Director of Network Transformation2 years ago

Not something I recommend. Multiple point products add confusion, complexity and increase cost which ultimately leads to poor security (and technology) outcomes. I recently attended a conference where the speaker cited a study showing the average Fortune 500 company has 76 security point products. Of these, only half are fully deployed. That is a lot of shelf-ware.

Understand the business problems you are looking to solve and then focus on the tools. Keep a sharp eye on the portfolio and outcomes. And don't chase the silver bullet technology. That is what got us here!

Head of Information Security in Services (non-Government)2 years ago

It depends on how good the solution is at addressing your security needs. I lean towards simplifying the security stack, but in some cases existing solutions just don't provide the level of security that you need. If your company works with a major technology vendor that purports to be everything to everyone, then even if it does some things really well, there may be other things that it doesn't do well at all. For example, maybe that vendor doesn’t have a great privileged access management solution, in which case you would need to get something like CyberArk. It just depends on how good each of your solutions are at doing what they purport to do.

Content you might like

We are on the cusp of conducting a pilot of AI tooling - we intend to use Gemini & CoPilot, providing training, guidance & policy to our user group. Before we start we should conduct a risk assessment - my question is: can you recommend a tool or template?

How does your organization handle security team involvement in change requests submitted to CAB/RAB — specifically in relation to formal security review and approval?

Always required – Security must formally review and approve every change request.11%

Required for security-impacting changes – Security reviews only changes flagged as having potential security implications. Please comment : Who decides which changes require security review and which do not ? Is this determination manual or automated? How do you avoid gaps or oversights in this process ?82%

Not required – Security does not review changes submitted CAB/RAB by other teams. 7%

Risk-based or automated – Security involvement is determined by a tiered model or automated risk scoring within ITSM.

View Results

Ransomware negotiator Retainer? Do you currently hold a retainer with a ransomware negotiator consulting firm? If so any recommendations?

How are you addressing technical debt risk resulting from AI coding tools? Have you established specific processes to manage vulnerabilities in AI-generated code, and are you collaborating with software engineering or other teams using these tools?

In the next 6 months, which will your company do?

Invest more in eCommerce34%

Maintain the current investment in eCommerce60%

Invest less in eCommerce4%