Years ago, the MythBusters coined the phrase “If it’s worth doing, it’s worth overdoing.” Although that philosophy holds true in many areas (and is something that I tend to personally embrace), it probably isn’t the best idea for cybersecurity. Don’t get me wrong--IT security is undeniably important. What I have observed throughout my career, however, is that using too many cybersecurity tools can end up being just as problematic as not using enough.
One of the most compelling arguments for not going overboard with the use of cybersecurity tools is that some tools can interfere with other tools. Antivirus software has always been the classic example of this concept. The internet is filled with stories of what can happen when multiple antivirus programs are installed on the same system. Even so, antivirus software is far from being the only type of security software that is subject to interference. I don’t want to name names, but I recently observed a situation in which a security product identified an agent associated with another vendor’s product as being malicious.
Even if your tools do not interfere with one another, there are reasons why it may be prudent to limit your use of cybersecurity tools. Somewhat counterintuitively, using too many cybersecurity tools can potentially weaken your organization’s security.
There is a long-standing law of computing that states, essentially, that the chance of an exploitable vulnerability existing within an application is proportional to the application’s size. In other words, the chances that you will introduce a vulnerability into a system increase as you run more and more code.
Of course, cybersecurity products are designed to be secure. Any reputable security tool vendor is going to go the extra mile to harden its product against attack. These vendors also tend to minimize risks by limiting the use of open source code and other risky development practices. Even so, those who are responsible for testing a vendor’s security tools probably aren’t assessing whether problems occur when running those tools alongside competing tools.
Being that cybersecurity vendors work hard to make sure that their tools are hardened to the maximum extent possible, it’s tempting to assume that the practice of running competing security tools side-by-side is a perfectly safe thing to do. Remember, though, that at least some types of security tools require elevated permissions in function. Running multiple elevated processes alongside one another could possibly introduce the potential for unintended consequences.
Putting the technical reasons aside, there is a more practical reason for avoiding the practice of adopting a large, sprawling collection of cybersecurity tools. While the trend is starting to reverse itself (at least, to some extent), enterprise security software has a reputation for being complex. The point is that there can be a significant learning curve associated with using enterprise security software. If the IT department is inundated with security tools, then there’s a good chance that they probably won’t be using the various tools to their full potential. In fact, it’s probably a safe bet that when faced with an overwhelming number of security tools, the IT staff will simply abandon some of the tools and stick to using a few of their favorites.
Unfortunately, there is no such thing as a perfect security tool. That being the case, organizations have little choice but to adopt multiple security tools to remain secure. In doing so, however, it is necessary to strike a balance between having too many tools and too few tools.
The trick to achieving this balance is to avoid taking a reactive approach to security. The mistake that organizations so often make is to identify a problem, and then purchase a tool that specifically addresses that particular problem. While this approach seems logical on the surface, it actually leads to security fragmentation. The use of numerous cybersecurity tools, each of which is designed to address a particular challenge, results in the creation of management silos. Additionally, there is a good chance that security blind spots will exist because of the gaps between and among the various products’ areas of coverage.
The other big problem with taking a reactive approach to security is that the planning process is typically rushed. In a reactive environment, a security incident may have already occurred, or the organization may have identified an imminent security threat. In either case, the IT department scrambles to put a solution in place as quickly as possible.
A better solution is to take a proactive, architectural planning approach to security. Rather than focusing on individual security challenges, it’s better to identify the specific infrastructure components that need to be protected, and then adopt a series of best-of-breed solutions that can collectively provide defense in depth across all of the organization’s IT resources. This approach helps to reduce costs, avoids the proliferation of unnecessary cybersecurity tools, and prevents security monitoring blindspots.