Cybersecurity at Scale: Piercing the Fog of More

By Tony Sager, Senior Vice President and Chief Evangelist

When it comes to scaling cybersecurity programs, the last thing organizations want to do is create more work for themselves. Doing so could not only prevent them from adapting to security requirements but also hurt their existing security efforts. Such is the danger when attempting to navigate through a phenomenon called the "Fog of More."

Understanding the Fog of More

The Fog of More is the result of our job as security defenders evolving over the years. The 1980s and 90s were what have been previously called the "wild west days of cyber attacks." Computer technology was new and limited in its breadth, so the early defense protocols were concerned with planning for the worst. Teams didn't have their sights set on state-sponsored actors and the like. They were planning for a limited set of relatively unsophisticated cyber threats.

That's how they look all these years later, at least. Nowadays, the types of technology and threats have proliferated, leaving teams with too many choices for cybersecurity. They're drowning in options, policies, and services – so much so that it's easy to become paralyzed. They have to sort through different vendor claims and keep track of conflicting information.

The result is that many are struggling. They're losing ground because knowing about the problem isn't the key to solving it. They need a way of addressing the same root problems once they find a way that allows everyone to help one another.

The Dangers of Cybersecurity Scaling Left Unchecked

It's tempting to think that we can fight the Fog of More by investing in more security solutions. But not all tools are created equally. Many don't natively integrate together, for instance, while others may simply duplicate efforts without adding their own value.

This is the reality of tool sprawl. Today, many organizations have too many security solutions to effectively manage them all. In a 2022 report, Panaseer surveyed 1,200 security decision-makers in the United States and the United Kingdom about their experiences with tool sprawl. Panaseer learned that the average number of security tools in use had grown 19% from 64 in 2019 to 76 in 2021. More tools equate to greater difficulty in achieving comprehensive visibility, thereby creating security gaps, decreasing productivity, and increasing costs.

Tool sprawl also hurts security teams directly by asking overworked humans to be the "integration engine" that makes sense of all these tools. That's easier said than done. Each new tool creates noise through which security professionals must sift to identify legitimate incidents. The greater the noise, the more teams are susceptible to give into alert fatigue and not investigate potential threats. Orca Security learned in 2022 that more than half (59%) of security teams were receiving at least 500 public cloud security alerts a day. Approximately the same proportion (55%) of critical alerts went undetected on a weekly or monthly basis. Reflecting on this alert fatigue, 62% of respondents said that their teams experienced greater turnover – that is, fewer personnel with generational knowledge for detecting/remediating security issues and pursuing ongoing security projects.

Cybersecurity at Scale Without Added Complexity

To scale effectively and avoid the Fog of More, organizations must avoid purchasing disconnected security solutions and instead have a plan that starts with a solid foundation and builds up as defenses mature. This begins with implementing essential cyber hygiene found in Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). Doing so will help organizations meaningfully defend against some of the most common threats in circulation today while providing capability that's essential no matter how sophisticated the threat becomes. 

Once those cybersecurity fundamentals are in place, organizations need a way of tracking their implementation of security best practices as they scale going forward. Toward that end, they can turn to the CIS Controls Self Assessment Tool (CIS CSAT). It builds on the foundation laid by IG1 of the CIS Controls by helping organizations assess, track, and prioritize their implementation of these security measures. CIS CSAT gives organizations the visibility they need to improve and scale their cyber defense program over time, all while keeping their limited cybersecurity resources in mind.

One Part of a Larger Scaling Strategy

CIS CSAT Pro is one of the tools included in CIS SecureSuite Membership. By becoming a Member, organizations can gain access to tools that they can use to maximize their use of security best practices like the CIS Controls. It provides access to tools for automating scan assessments of their systems’ configurations, quickly deploying secure configurations across their environment, as well as additional resources.

To help organizations pierce the Fog of More, the Center for Internet Security has created a special promotion enabling organizations to receive up to 20% off a new CIS SecureSuite Membership now through October 31. This deal helps organizations take their scaling efforts even further.

Tony Sager

Sr. Vice President and Chief Evangelist

Tony Sager

Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Critical Security Controls® , a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Critical Security Controls and other solutions gleaned from previous   to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.