Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet discussed critical trends that develop as organizations grow from a small start-up to a much larger company. And the recommendations for a better way forward so smaller organizations can avoid some of the technology pitfalls experienced in their growth.
What are the Challenges with Cybersecurity that most small start-ups Face?
One clear trend is that small organizations tend to grow their security infrastructure taking a best-of-breed approach. And as a result, as new security devices are introduced, they become increasingly difficult to manage. And this problem never ends. Large Enterprises have an average of 45 security tools in place, most from different vendors. And each incident they respond to requires coordination across 19 different solutions.
Now obviously, small businesses don’t have nearly this many security vendors in place. But the problems related to vendor and solution sprawl can ratchet up pretty fast. Because small companies with more than four security vendors report that troubleshooting issues between products is a significant challenge. And isolated security systems can’t see and actively share threat intelligence, correlate data to find indicators of compromise, or automatically launch a coordinated response to a detected threat. As a result, cybercriminals often operate their attack chain without much interference—breaching networks, establishing a foothold, escalating privilege, moving laterally, launching malware, and extracting data. Complexity is why the average time to detect malicious activities is now measured in months.
But many smaller companies making security purchases don’t see the impact their decisions may have down the road. And by the time they do understand, they have built themselves into a corner.
How have start-up organizations ended up creating complexity in their cybersecurity?
Most enterprise organizations have size, advanced security ecosystems, and large teams of seasoned IT professionals on their side. But because their security environments grew over time, even those organizations suffered from vendor sprawl, much of it left over from when they were smaller and weren’t thinking down the road. One of the most common complaints we hear is about the challenge of managing such a complex security environment. And in fact, that complexity is often the real source of a lot of their problems, such as their inability to see or respond to threats. But at that point, it was way too late to rethink their security strategy without spending a lot of time and money fixing a problem they had inadvertently created. The best approach is to nip this in the bud.
Today’s business growth is tied to technology. And fortunately for small businesses, advanced technologies traditionally out of their reach are now readily available. But rather than having cohesive infrastructure development strategy smaller organizations tend to purchase new security products on top of old ones and just build workaround upon workaround. That may work when you only have a couple of solutions in place. But fast-forward a few years, when you’re approaching enterprise size, and the single issue that consumes the biggest share of your time will be trying to manage the complex network of disparate vendors you have in place.
What are the lessons learnt from security vendor sprawl?
Today, as we interact with start-ups, we frequently hear them share their belief that their business isn’t ready for a fully integrated and scalable security strategy. And that they’ll upgrade later when it is. It’s probably the same argument their enterprise peers made when they were that size. The ones who now complain about complexity. And on the surface, I can see their point. Resources are limited, and the best option may seem to be, buy what you need now and worry about tomorrow. But the fact is, upgrading later is rarely an effective strategy, especially with how fast technology is changing and organizations are expanding.
Small businesses don’t consider the gaps that lie between expectations and reality. Development plans simply don’t keep pace with business needs or technology adoption. Most organizations at the lower end believed their technology would support them for two to four years. But in fact, they ended up adding new products every one to two years to fill gaps. And they then had to build workarounds to support their previous investments. Keep doing this across multiple vendors, and suddenly the dream of a streamlined, integrated, automated system is gone. As a result, we found that companies with more than ten security vendors spend between 40% and 50% of their time troubleshooting interoperability.
What kind of security products or strategy will work for start-up and small businesses?
Fortinet is the only vendor to truly deliver a single security platform where almost everything is built using the same underlying code. And that matters because without a lot of customization and adding “helper products”—solutions used to fill feature gaps or connect isolated point products—you just don’t get the integration and automation you need to effectively stop modern attackers. Even vendors with a broad portfolio of products—even those who had initially taken an organic growth approach—lose that “native” integration advantage as they begin to grow through acquisition without the necessary integration. Eventually, they just become a single source for the same complexity you used to buy from multiple vendors. And customers invariably suffer.
As smaller businesses adopt new technologies and business strategies, they need the same protection as their larger counterparts. Their challenge is that they don’t have the same access to resources as their enterprise competitors. Cybersecurity should be more affordable and small businesses should be able to get everything they need from a single vendor, and not at the price of losing performance, interoperability and functionality as they grow.