Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for SECtember.ai, Sept. 9-12, to hear keynotes from leaders at Anthropic, OpenAI, Google, Microsoft and CISA!

The Cybersecurity Tower of Babel Requires Focus on Business Fundamentals: Part 1

Home
Industry Insights
The Cybersecurity Tower of Babel Requires Focus on Business Fundamentals: Part 1

Blog Article Published: 07/11/2024

Written by Elad Yoran & Patricia Schouker.

The adage "the only constant is change" was relevant at this year’s RSA Conference when it comes to enterprise cybersecurity. While much attention was appropriately focused on the possible implications of AI on security, conversations with CISOs indicate that much of the change enterprises face is driven by the proliferation of security tools in recent years. With so many solutions needed to cover different portions of the environment, the result has been the fragmentation of enterprise security into a cacophony of disjointed reports and findings, making remediation even more challenging.


Security Solution Proliferation and the Law of Unintended Consequences

As businesses evolve, their attack surfaces expand and the number of potential risks to their systems, networks, applications, and data increases, whether on premise, in the cloud, or in a hybrid environment. In recent years, this dynamic has led to a rapid proliferation of security solutions specialized in identifying and managing risks in a specific area. Often, these solutions recommend a specific action to remediate the risks, such as applying a patch, reconfiguring a device, rewriting vulnerable code, or removing stale permissions.

The result is a well-lit “segment level” view of security risks and needed actions. However, the segments are effectively siloed and therefore complicate the understanding of higher-level enterprise-wide security and the management of the company-wide security strategy.

Complex company-wide environments with numerous security solutions pose considerable management challenges, both technical (such as aggregating, normalizing, and prioritizing diverse issues that lack standardization) and communicative (such as communicating with remediation teams that operate elsewhere in the company and do not report to the CISO).

"As security professionals we make changes to our stacks, adding resources to cover parts of our environment that we believe are not adequately monitored for security risks. While this may be necessary, I feel we are in a loop of adding more pieces to an ever-expanding Lego. We have tools to monitor even more tools and processes but lack contextual awareness. Why are we using these tools, how do we know they are effective, do they provide value to the company? These questions, to me, demonstrate that we operate without a full understanding of our company’s risk," remarked Gary Hayslip, CISO for SoftBank Investment Advisers.


Getting Back to Basics

How do enterprise CISOs address this challenging situation? While specifics varied, CISOs shared a common philosophy: the need to regain an enterprise-level perspective of security and accelerate remediation across IT, DevOps, Engineering, and other functional areas. Developing and implementing new cybersecurity workflows solutions is necessary, including consolidating and streamlining information, leveraging data science and context for prioritization, automating manual processes, and fostering collaboration across stakeholders. Stay tuned for Part 2 of this blog, where we’ll go further in-depth into these recommendations.


About the Authors

Elad Yoran brings over 25 years of cybersecurity expertise, having founded, led and successfully exited several pioneering cyber companies. Elad serves as a Strategic Advisor to the Cloud Security Alliance and Seemplicity, and on various company and government and industry boards such as the Army Cyber Institute and formerly the FBI’s Information Technology Advisory Council. His companies have been acquired by industry giants like Tenable, Cisco, CyberArk, Forcepoint, McAfee, RSA, SafeNet, and Symantec. He is a former U.S. Army officer, a veteran of Operation Restore Hope in Mogadishu, Somalia, and holds an MBA from the Wharton School of the University of Pennsylvania, as well as a B.S. degree from the United States Military Academy at West Point.

Patricia Schouker is the founder of Energy Bridge Global and a subject matter expert in energy and security based in Washington D.C. She leads business and strategy at PolySwarm and previously served as a Policy Officer at the European Commission, focusing on US-EU energy relations and cybersecurity. Patricia is an active member of Future Congress, advocating for integrating scientific and technological knowledge into the U.S. legislative process. She is a fellow at Oxford University and The Payne Institute at Colorado School of Mines. Patricia earned her degrees in Political Science and Economics in London and a Master’s in Strategic Intelligence Studies in Washington D.C. Connect with her on X: @Patricia_Energy.

C-LevelCloud Security Services ManagementCxOData SecurityEnhancing cloud security strategy

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Quantum-Safe Security Governance with the CCM
Top Threats to Cloud Computing 2024
AI Model Risk Management Framework
Trending This Week
#1 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
#2 AI is Now Exploiting Known Vulnerabilities - And What You Can Do About It
#3 Cloud Gaming and Data Security: Balancing Fun and Privacy
#4 MFAs for Hospitals: Password Sharing Workstations and Other Challenges
#5 Four Ways to Use the Cloud Security Maturity Model
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Cloud Security Alliance Releases Top‌ ‌Threats‌ ‌to‌ ‌Cloud‌ ‌Computing 2024 Report

Published: 08/06/2024

Zooming In: 6 Ways Cybercriminals Use the Black Market to Steal Zoom User Data

Published: 08/01/2024

Mitigating Risks During Mergers and Acquisitions in Healthcare with Security Testing

Published: 08/01/2024

Breach Debrief: Snowflake MFA Meltdown Creates Data Leak Blizzard

Published: 07/31/2024