// archives

consumerization

This tag is associated with 1 posts

Best of breed or end-to-end security stack

One of the discussions that I often have with senior IT decision makers is the overall security architecture and how the different layers of security mechanisms work together. In these talks I often see that security in enterprises is approached as a layered approach where, on purpose, security elements and products of different software vendors are used. I call this the best of breed approach as for each security function one can pick the top performer on the market. The main motivation behind this is that if there would be a weakness in a product from one vendor that the same problem will then not be found in the underlaying security layer as it is not from the same origin.

Sounds great? Adds clearly more security? Well yes in theory but maybe no in practice. The reality is that with the financial pressure that is common on todays system’s integrators, operations resources (financial, people and know-how) are sparse and the nicely designed layered approach has suddenly gaps as the complexity is just too high to have it properly handled. This then leaves gaps in the defense. In addition, the interaction of different products is often not well known. What hurts in that regard is that applying security patches can only be done once a thorough testing has occurred – which in turn takes time and resources and means that crucial patches are applied later and the window of opportunity for an attack is open longer.

With this now comes the question. What in practice brings you more security. The best of breed approach that is seldom fully implemented or the end-to-end security stack where your dependence on one supplier is increasing? How much of the dependence do you have already anyway? I observe a move to the second approach – mostly out of lack of operational resources – also in large enterprises with a quite a high security level. I see this even more accelerating in the future when we have more and more security solutions that are offered as cloud or hybrid services where platform compatibility will be a large factor. Does that mean we are having a sort of consumerization of IT also for security?

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

Translate

Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish

replica Rolex