Infosec tech stacks have a long and complex history that dates back to the days of mainframe and COBOL programming. Many fintech organizations still have mainframes or something akin to them in the form of big computing, such as AIX or other complicated legacy platforms.
Mainstream infosec tools tend not to support these legacy platforms very well. This can very, very easily create gaps in coverage. While legacy platforms generally represent small portions of overall business portfolios, their significance often steers entire infosec tech stacks. This in turn can create larger gaps in other more mainstream areas.
To compensate for this complex heterogeneous environment, many organizations end up with a best-in-breed point solution for security tools and functions. Sometimes there’s even a conscious decision to duplicate functionality across multiple tools in order to ensure platform coverage.
In short, this type of cybersecurity tooling has created a real mess for CISOs, infosec directors, and other technology leaders. More often than not, the way that fintech orgs’ tech stacks were constructed cause business inefficiency and gaps in security coverage.
Are Infosec Leaders Aware of This Problem?
As a senior leader today in fintech, it’s impossible to not notice the challenges presented by struggling infosec tech stacks. The consequences of having poor security in fintech are severe, and organizations are constantly battling their own tools to stay afloat.
It’s the complexity of their cybersecurity tech stacks that keeps many of these leaders up at night. In fact, according to a recent Gartner survey, more than 75% of the respondents were planning to consolidate their security portfolios in order to streamline their tech stacks.
Infosec tech stacks are definitely on the radar, but they’re also somewhat limited based on the state of the business itself.
How Did Infosec Tech Stacks Become Such a Problem for Fintech?
As I’ve already mentioned, financials were on the early bandwagon with computing, and now the fintech sector is dealing with what we call tech debt. However, there are other factors that have caused this situation, too.
Historically, fintech security professionals have been overly predisposed to a best-in-breed approach. They were very focused on solving specific problems in the security realm.
In the early days, you didn’t need that many tools. There were fewer problems to solve, and tools were pretty good at the one or two functions they were designed for.
Fintech security became laser-focused on specific functionality and filling coverage gaps, and concepts like enterprise architecture and big-picture thinking never really got a seat at the table.
Also, the tech industry as a whole didn’t really do fintech any favors. To this day, we still tend to focus on ranking vendors and the tool functions by segment, saying tool X is really good at these three things, but it’s bad at these two things.
When we rank these individual tools like this, the media coverage continues to drive decision-makers toward that best-in-breed approach. That in turn profilerates the vendor and tool sprawl. Instead, we should be looking at infosec as a platform and managing the portfolios as an integrated stack.
Should Fintech Companies Run Audits of Their Infosec Tech Stacks?
At this point, fintech companies that haven’t started reviewing their portfolios and making incremental adjustments to their infosec tech stacks are behind their peers. Without a doubt, this is a review that every fintech company should perform.
As we come out of the pandemic, the U.S. is doing reasonably well, but the rest of the world still hasn’t fully recovered. Larger global businesses are especially cash-strapped at this moment. At the same time, businesses are continuing to cut information technology at a slow but steady pace.
A strategically executed consolidation project can offer businesses a viable means to redistribute scarce financial resources to projects that provide a greater return on investment.
First, making strategic cuts helps you responsibly manage your organization’s risk. It’s important that you don’t take a broad cut and accidentally eliminate something important, creating a hole in coverage.
Second, strategic cuts to your infused tech stack help you do more with your spend. Consolidating your portfolio will generate savings by eliminating vendors and tools. You can then redirect those savings toward more value-added parts of the company.
It’s better to plan for restructuring than to back your way into a financial task. You’re often forced to make tough decisions when you have to back your way into a cut — especially in security.
Can Companies Run Their Own Infosec Tech Stack Evaluations?
Never say never, but your ability to evaluate your own infosec tech stack comes down to whether your staff’s can be objective. If your staff has the talent to take a step back, be objective, and apply an external lens from the outside looking in, then the answer is probably yes.
But if we’re being honest, most organizations struggle with maintaining objectivity. It’s difficult to remove yourself from a situation that you’re immersed in and have an unbiased perspective about it.
In larger organizations, security functions are often siloed. Individuals are extremely skilled and deeply knowledgeable in their specific security functional area. However, they’re often less skilled in adjacent security functions.
You might have someone who’s been working on data loss prevention (DLP) for 10 years. They really know DLP, but they don’t know endpoint detection and response (EDR) because it’s someone else’s responsibility.
If your DLP person is running your eval, how are they going to objectively look at integrating DLP with EDR, when they don’t really know much about EDR? Because of that isolation, the very problem that needs solving is a lack of big-picture thinking.
Most organizations are not well-suited for objectively performing internal evaluations. It’s far more likely that turf wars will ensue, and internal politics will take over your audit.
Related: How to Get Your CFO to Invest in Infosec Technology
Should You Hire a Third Party to Run Your Infosec Tech Stack Evaluation?
A neutral third party can bring a few things to the table. First of all, it’s a great way to balance the scales and get a better look at the bigger picture. A third party won’t have specific skin in the game for any particular organization, so they’re much more likely to provide an unbiased view.
It’s easy to get isolated from what’s going on in the infosec world around you if you only operate within a single organization. But when you’re bringing in a third party vendor, it’s specifically their job to be engaged in that world.
You’re paying for their awareness and expertise, their vendor partnerships, and their skills. An outside firm can bring a current industry view to the table, which may not readily be available from the inside.
On the flip side, it is important that your third party doesn’t try to push an agenda or hawk specific products due to vendor partnerships or kickbacks. It’s up to you as a leader to make sure the recommendations are genuine. Challenge any recommendations that don’t feel right or don’t seem to fit with your organization.
How Does Black Kilt Approach Infosec Tech Stack Evaluations?
Like any other firm, Black Kilt starts tech stack evals by looking at existing information to understand what is and isn’t working for the client. This can include information from recent pen tests, audits, portfolio assessments, and budgetary meetings.
However, Black Kilt goes the extra mile by examining our clients’ integrations. We’ll look at what tools you have and haven’t already integrated, and which tools have good potential for integration.
We understand that replacing a tool that’s currently integrated is always harder than replacing one that’s standalone. For example, a company that has a stack of 30 tools with 15 of them highly integrated into their environment should expect it to be complex and expensive to unravel and rebuild those integrations into a new and leaner tool stack.
With this in mind, Black Kilt can give you a project roadmap that fits both your timeline and your budget. Many of our engagements are self-funded by the savings generated from consolidating your portfolio.
Whether you’re starting from scratch or need a helping hand from outsiders, Black Kilt is here to help you with all your infosec tech stack needs. Contact us today for a free consultation.