Platform Paradox: Critiquing Security Ecosystem Risk after the CrowdStrike Outage
The recent CrowdStrike outage once again shines a light on the global dependence on software and the inherent fragility of such systems. It also invites critique of practices and trends that led a cybersecurity tool to cause the damage and disruption it is designed to prevent. As a veteran CISO of Fortune 50 companies, my diagnosis is this: security practices and vendor strategies have drifted away from operational and business risk management best practices.
The irony of the CrowdStrike outage invites frustration. It also presents an opportunity to reflect and course correct. We must take a sober look at the macro trends that made the CrowdStrike outage possible and take this opportunity to reciprocally design security ecosystems for better risk management and apply better risk management to the design of the security ecosystem.
Understand the macro trends that led to the CrowdStrike outage
On one hand, the CrowdStrike outage reinforced the need for robust software testing and guardrails. It exposed the risks of failing to incorporate these guardrails in agile DevOps practices and how quickly software failures can proliferate and cripple critical systems - especially when those systems over-rely on a single vendor.
It also exposed the pervasive and paradoxical failure to apply operational resilience and risk management best practices to cybersecurity tooling and vendor selection.
The purpose of cybersecurity is not to deliver impenetrable systems. Nor is it to disrupt business. Rather, the purpose is to satisfy the risk tolerance of the organization as defined by the board and reflected in the budget to prevent damage and minimize disruption. To be clear, cybersecurity is a boardroom issue. With increasing threats, oversight, and financial consequences, visibility and spending on cybersecurity have grown. However, security tools exist and must be scrutinized within a broader risk context.
Critique the all-in-one cybersecurity platform paradox
Vendor diversification is a well-established best practice. Amid digital transformation and cloud migration efforts, many organizations have adopted multi-cloud approaches to build resilience and vendor redundancies. However, in the cybersecurity space, there is a significant push toward vendor consolidation. This addresses some pains. But it also introduces new risks.
From a functional perspective, cybersecurity demonstrates one of the greatest needs for unification. The diversity of threats, sprawl of attack surfaces, volume of tools, distribution of owners, risks to business functions etc., and etc. have proven too complex to manage across disjointed and siloed tools. Consolidation around vendors like CrowdStrike and Palo Alto Networks comes with the promise to alleviate these cybersecurity pains. However, we must ensure efforts to simplify and consolidate cybersecurity technologies do not come at the expense of robustness and resilience. As evidenced by the CrowdStrike outage, making critical business functions over-dependent on a single third party introduces business risks that undermine the core objectives of security programs.
This is an opportunity to critique and refine our solution philosophy with this as a central tenant: security must reduce net business risk. This means it cannot ignore or be exempt from the broader context of operational risks, vendor risks, opportunity risks, and business risks.
Revisit the security ecosystem solution philosophy
This leaves the question of how to alleviate security pains and deliver much-needed cybersecurity efficiencies while conforming to broader risk management best practices. Fortunately, we do not have to look to some hypothetical solution. Here are the best practices I implemented as a CISO to reduce operational risk while improving cybersecurity outcomes, buying power, and operational resilience.
Diversify your security ecosystem: Have a multi-solution and multi-vendor strategy. I practiced a two-solution strategy when I was responsible for the security and risk reduction of 400,000 endpoints. This approach provided redundancy and ensured the proverbial ship wasn’t going down with one storm. It also provided the flexibility to align and optimize tooling for different purposes and functions. No single vendor provides a best-in-class solution across all testing needs. I do not think this will ever change. On the contrary, as new technologies emerge with new risks and security demands, organizations that can onboard new security tools into their existing processes will have a distinct competitive advantage in their ability to rapidly and securely adopt enabling technologies.
Unify with an independent governance solution: The pains and needs driving organizations toward consolidation are real. However, single-vendor consolidation is neither the only nor the optimal solution. Teams should ensure their processes for governance and guardrails are not locked into their underlying technologies. Specialized tool-agnostic solutions like Application Security Posture Management (ASPM) platforms allow for a diversified and best-of-breed approach to scanning and testing technologies while tapping into the synergies and efficiencies of a unified ecosystem and platform experience for security processes.
Leverage flexibility to optimize spending and align budget with risk reduction: Security leaders must continue to deliver value to the organization by optimizing their security budgets for the strongest security posture. Here again, vendor diversification increases buying power and competition. An independent and flexible governance layer also liberates organizations to tailor their tooling and align budgets with security and risk needs without adding layers of complexity or compromising user experiences.
By adopting these best practices, organizations can enhance their cybersecurity performance, ensure greater resilience against disruptions, and better align their security ecosystem with the goal of net business risk reduction.
Looking ahead and applying lessons
The CrowdStrike outage highlights the necessity of aligning cybersecurity ecosystems with broader business risk management principles. Over-relying on any one vendor for critical functions - including your security program - is risky. Diversifying security ecosystems builds resilience. This does not have to come with complexity or costs. On the contrary, leveraging an independent governance layer positions organizations to improve security outcomes with best-of-breed solutions, securely adopt new and enabling technologies, and have greater buying power. As cybersecurity continues to evolve, adopting these best practices will safeguard critical systems and ensure security efforts and investments contribute to the organization’s strategic objectives and long-term success.