Boom… A little over a month ago, I published a blog around best of breed vs. best integrated vs. best of luck. Other related topics that CISOs, CTOs, and other C-Suite executives often discuss include Zero Trust Architecture (ZTA), Secure by Design, Best of Suite, and platform. Many CISOs and CIOs have strong opinions on these topics. Some feel ZTA is a bogus strategy and impossible to achieve, while others are committed to achieving it. Secure by Design is a dream many of us in the industry have had for decades. This blog will dive deeper into each of these topics, highlight companies in each area, and provide some talking points/benefits for each.
Defining Zero Trust Architecture (ZTA)
On the surface, Zero Trust Architecture is exactly what it sounds like: trust nothing without verification. This means verifying explicitly and using the principle of least privilege, where entities only have access when needed. Another key aspect is the “assume breach” mentality. While I understand the rationale, I prefer explicit verification over assuming a breach. For example, I know my house is secure because the doors are locked, and my dogs would alert me to any intruders. Similarly, a well-architected and monitored network should achieve the same level of security. Zero Trust is a continuous journey rather than a final destination.
Understanding Secure by Design
Secure by Design emphasizes integrating security into every layer of a system from the outset. As a CTO or CISO, fostering a culture of security by design is crucial. This approach includes principles like least privilege, assume breach, and defense in depth. Think of it like a car equipped with safety features such as airbags, seatbelts, and sensors. Similarly, your network should be designed with multiple layers of security. Achieving Secure by Design involves threat modeling, secure coding practices, and regular security training. Companies helping companies with this are Microsoft, Google, AWS, Cisco, IBM, Palo Alto Networks, and Crowdstrike. Crowdstrike has an interesting take on this as they push for “resilient by design” which I prefer as a practitioner. Security is always evolving and adversaries have even more resources to use against us. It’s critical to be resilient to achieve any level of success. Secure by Design is good as well so consider options of both when researching this for your own organizations
Best Integrated vs. Best of Platform
In a previous post, I discussed “best integrated,” which aligns with the concept of “best of platform.” This approach involves selecting a broad set of tools within an extensible framework that supports your goals and security needs. Always choose tools with built-in integration capabilities to ensure seamless operation. Some of the same companies as above are considered highly focused on on “best integrated” and walk the line into platform if customers wish to do so. Technology companies that focus on “platform” are Trend Micro, Qualys, Zscaler, Lacework, and Tenable. Thes companies focus on cloud-native solutions, compliance, advanced threat protection, insurance, and management solutions which all taken together help customers build a “best platform”.
Best of Suite
The best of suite approach involves selecting a comprehensive suite of security tools from a single vendor. Having worked at an investment bank for the past three years, I’ve seen a trend towards security consolidation. The managed services space is also growing as more companies outsource their security needs. While the initial cost can be higher, this approach requires careful planning and architecture. It is important to understand there are small differences in each of these. While Microsoft is on many of these lists it is due to the fact you can choose some or all of their capabilities. Google is very similar where you can look at Gartner, 451, or Forrester1 and they will have both companies highly rated. This is important for “Best of Suite”. Other companies to consider would be Salesforce, Oracle, SAP, Adobe, Workday, and ServiceNow. They have “platforms” around Enterprise resource planning, customer relationship management, IT Service Management, and Operations Management. They can integrate tools across marketing, sales, service, and commerce.
Conclusion
Over the past two blogs, we’ve explored best of breed, best integrated, best of suite, platform, and Secure by Design. Each approach has its complexities, costs, and challenges. It’s essential to consider the data and remember that “culture eats strategy” every day of the week. As a new CIO, CTO, or CISO, gaining buy-in from key stakeholders is crucial. My recommendation is to choose a framework, build your architecture based on existing capabilities, and develop a roadmap for gradual improvement. Change requires time and endurance, but with a strategic approach, you can shift the culture one tool at a time.
In conclusion, take a strategic approach rather than a tactical one to avoid constantly playing “whack-a-mole.” A well-developed architecture will align the C-Suite and help you create a robust security plan. Avoid making decisions based on personal preferences alone, and focus on building a cohesive and secure environment.
If I missed speaking with you at Blackhat, I along with the team at Boston Meridian Partners would be happy to jump on a call to chat about the state of the markets or help you navigate the M&A process. Please reach out to us via our webpage and LinkedIn below.
Boston Meridan LinkedIn Page <- Follow this company!
About the author
Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.
Throughout his career, Mr. Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.
Beyond his professional achievements, he is also recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.
Currently, Mr. Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.
Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.