By Craig Savage, Security Solutions Strategist—VMware Security & Resiliency
Software-as-a-Service (SaaS), remote workers, endless devices and a number of other variables have made enterprise security an incredibly complex, if not expensive, undertaking.
Rather than simply upgrade to the latest technology as in the past, we decided to take a different approach that put every aspect of our operations—technology, people, culture—under the microscope with a specific focus on reducing unnecessary costs and streamlining operations.
The solution was to approach the process holistically, looking at our team’s skillsets and capabilities, what we wanted in new recruits, what existing process models were working/not working (including the five pillars of cyber hygiene) and a realistic look at what we needed versus what we would love to do.
How to build a solid intrinsic security foundation
Having a secure mindset
With so many moving parts in the enterprise, security must go beyond protocols and technology. It needs to be integral to the mindset of our colleagues, contractors and partners. That means employing the right talent for the job, including recruiting people who are actively engaged in solving complex problems and who are pragmatically proactive versus just going through the motions on a day-to-day basis.
We must eliminate silos that isolate people and create “information vacuums” that open up potential vulnerabilities. We must communicate often and effectively so that everyone understands the bigger picture. Lastly, we must ensure that all stakeholders enjoy their work! After all, people who enjoy their jobs will make security a top priority.
This shouldn’t be that complicated (yet it often really is)
Try as we might to keep things simple, complexity often raises its head.
It’s very easy for different business units and remote offices to establish their own protocols/processes regarding their work product. Initiatives like Zero Trust can be complicated in a well-established environment, and while moving users to managed endpoints has significant benefits, it also involves significant effort to achieve as it requires people to adopt the change.
Such uniqueness can compromise security and often adds unnecessary costs. This is why we developed a core security business model that is both simple to implement and easy for stakeholders to adhere to (thanks to behind-the-scenes, non-intrusive measures). VMware can now function as a unified ecosystem regardless of geo. This simplification initiative meant revisiting existing processes—internal and external—to understand their complexity and/or eliminate them altogether. Of course, we automate as much as possible in order to both remove mundane tasks from stakeholders and reduce the chance of human error turning into a security breach.
Technology . . . with a twist
Another aspect of simplifying security is how we approach technology, specifically vendor products versus our homegrown solutions. Our teams worked through our portfolio with a specific focus on simplifying the estate and ease of integration/automation to enable us to detect faster and respond more effectively.
As a result, we reduced our security tools portfolio by 70 percent, and realized some direct savings on software licenses, plus indirect savings in terms of people’s time, training required, the actual effectiveness of the product and other “soft” factors.
How VMware approaches defense, in trust
VMware on VMware blogs are written by IT subject matter experts sharing stories about IT’s transformation journey using VMware products and services in a global production environment. Visit our portal to learn more.