Freely subscribe to our NEWSLETTER

While employees and organizations are busy settling into remote or hybrid working, cybersecurity professionals continue to grapple with the challenges that come with a rapidly expanding network perimeter. And with every new ransomware attack that hits the headlines, it would be fair to assume that adding more security products or vendors would make a company more secure. But that’s not the case.

According to a recent survey, conducted with Vanson Bourne, one of the biggest challenges of securing a remote workforce is in fact managing multiple point-products or vendors. This is due to poor visibility and gaps between the protections that each product delivers, not to mention the complexity (and higher cost) of managing multiple vendor relationships. Almost all respondents in the survey (87%) believe that consolidation is an important part of securing the remote workforce, yet despite knowing this, over half (54%) reported that their organizations use more than 10 point-products. The healthcare sector is furthest behind the curve in this regard, with nearly eight in 10 organizations using more than 10 separate point-products.

So, what’s holding organizations back? If the benefits of consolidation are so clear, why aren’t more doing it?

Saturated security market

One of the key reasons organizations are falling behind when it comes to consolidation is that decision-makers are, to all intents and purposes, spoiled for choice. The security market is heavily saturated at the moment, particularly in light of the move toward remote or hybrid working. Yet, despite organizations needing more robust security measures than ever before, budgets are tight and many feel pressured to only focus on the specific problem they face today. This is particularly true of the healthcare sector.

According to Deryck Mitchelson, Field CISO at Check Point and former CISO at NHS Scotland, “Managers have become accustomed to making short-term decisions to solve immediate problems instead of considering more long-term, strategic approaches to addressing their security concerns.”

There are many reasons behind this tendency, not least the concept of vendor lock-in, which is still highly prevalent in the industry. Ongoing subscriptions make it difficult for organizations to switch vendors. Likewise, it’s becoming increasingly difficult for vendors to get customers to commit to a relationship spanning multiple years. Such relationships take time to nurture and reach their full potential. “With the threat landscape posing immediate risks, it’s probably more realistic and achievable for organizations to leverage and integrate a smaller number of vendors than commit to any single one,” says Deryck.

This multi-vendor approach might offer a fix for short-term problems, but it puts a great deal of strain on security teams who might not have the resources to adequately vet every product or vendor. CISOs might have a good idea of what’s best for their own organization, but it’s difficult to apply that knowledge to an ever-expanding list of disparate vendors that are pulled together under one umbrella.

Healthcare organizations have complex networks

As healthcare is the least consolidated sector, it’s an ideal point of focus for a discussion on what might be holding consolidation back. It’s also a sector that’s ripe for consolidation and arguably stands to benefit the most, with a network footprint spanning everything from laptops to critical medical equipment like MRI scanners and kidney dialysis machines. We asked Deryck about his experiences in this regard.

He told us: “Healthcare should be the perfect fit for a consolidated security solution like Check Point Infinity. When working for NHS Scotland, we signed a multi-million pound enterprise agreement with Microsoft based on a consolidated offering of Azure, Windows 10, SQL Server, Office 365 and more. This made sense as nearly all Health Boards (Trusts) are large Microsoft consumers on desktops, servers, emails and Office suites.”

“When it comes to security, however, the foundation baseline of solutions is much larger, with Trusts and Boards having already invested in local solutions with local teams, as opposed to centralized solutions with centralized operations.”

This highlights that consolidation is not only a technological and vendor-based challenge, but an infrastructure challenge. When piecemeal solutions are selected and deployed from one vendor to the next, teams are trained up and put in place to manage those services and the ecosystem develops around them. Deryck continued, “In NHS Scotland, I developed a business case to consolidate OS builds, Firewalls, EDR, Vulnerability Management, SOC & SIEM and CI/CD. This worked for me and underpinned my security programme, but the majority of Trusts and Boards have limited security capability in those areas and securing investment funding is an issue. The NHS is one of 13 sectors in the UK designated as Critical National Infrastructure and as such gets audited annually for compliance with the Security of Networks and Information Systems (NIS) Regulations. A consolidated security architecture delivers improved cyber resilience and demonstrably increased compliance across all four top-level NIS objectives.”

Another challenge comes from healthcare being a 24/7/365 industry and so any downtime to change or introduce new consolidated technologies is not an option that is often considered. In fact, disruption to normal service is probably what’s holding most organizations back from adopting a more consolidated cybersecurity infrastructure. However, there is no reason why the introduction of a carefully planned consolidated platform implementation should cause any disruption to business or indeed patient care. The NHS has vast experience of large-scale digital improvement programs in areas such as Picture Archiving and Communication Systems (PACS) and Electronic Patient Records (EHR). It’s a sobering thought that, while Digital projects such as this can be planned and managed around the needs of the business, cyberattacks can happen at any time and have the potential to take down an entire organization.