If you’re like many people in today’s app-centric culture, whenever a technology-related challenge arises, your first instinct might be to throw more technology at the problem. Think of when a new security policy is introduced or a previously unknown virus or hack is discovered. It’s understandable if your initial inclination is to look into procuring, or having research and development create, a new application to address the issue.
But what if you already have the answer you need? Maybe it already exists in one of the applications that comprise your technology stack. Or perhaps it’s baked into the operating system that you’re currently using. It might be, but with an ever-growing technology stack, you may not realize that the tool you need may already be at your fingertips.
Let’s take a look at how you can optimize your stack to make the most out of the technology you already have and strengthen your security posture.
What is a “security solution,” anyway?
According to IDC, worldwide spending on security solutions was expected to reach $91 billion last year, and the federal government is one of the biggest spenders. But what constitutes “security solutions” in 2019? Certainly, standalone firewalls, virus protection software, and similar technologies fit the bill. But so do operating systems and other solutions that, 10 years ago, may not have been considered true “security solutions.” Back then, security was often sold as a separate offering. Today, it’s considered table stakes and often baked into many infrastructure technologies and operating systems.
And yet, per the IDC report, agencies are continuing to invest more money in additional applications to bolster their security postures. Perhaps this is because they do not understand the full capabilities of the solutions they have already purchased. Or, maybe their technology stacks have grown so big they no longer have a good grasp on which solutions are included within them. This can pose real issues when FITARA scorecards are introduced, which include regularly updated and maintained software inventories as a key metric.
Fortunately, there are three things you can do to tame your security tech stack and help you get the best possible ROI for the technology you’ve already purchased.
Work with vendors to understand what you’re already paying for
Modern operating systems can contain thousands of packages, many of which you may never use. But if a certain need does arise–a new lock-down script and tooling for better security, for example–it’s a good idea to first check to see if it’s included in your current operating system. This could save you from taking the time to research and potentially acquire a new solution that ends up being duplicative of an untapped feature you’ve already paid for.
Your first step should be to contact your vendor, who can help answer your questions and identify whether or not their software includes the capabilities you need. While any good vendor should willingly do this, those who offer their services as part of a subscription are particularly incentivized to help. These vendors have a vested interest in helping you get the most value from your software investment.
Many of these vendors offer free workshops and individual and group skills assessments. These are designed to help you familiarize yourself with their solutions and provide a baseline evaluation so you can understand where to focus your training. Take them up on these offers. Their experts and training materials can help you understand and uncover tools that you may not have otherwise known about.
Use outside resources and communities
You don’t just have to rely on vendors, however. There’s a wealth of information and resources dedicated to government technology. Use them to help uncover the hidden features of your operating systems and applications or understand whether or not a particular solution is worth your time and money.
There are a number of communities comprised of fellow federal IT professionals who can help answer your questions and guide you in making the right technology decisions. Gov–sec is an active forum in which government and systems integrator users discuss and explore the latest security best practices. Its purpose is to provide information regarding existing compliance and accreditation strategies so you don’t have to duplicate efforts. You can also use the SCAP Security Guide to share best practices surrounding security. In each case, you can learn from your peers who are going through similar challenges as you and lend your own voice to the community that is solving those challenges.
NIST’s National Checklist Program Repository is also a great resource. With the Checklist, you can receive low-level and authoritative government and vendor guidance on setting the security configurations of various operating systems and applications. It’s a simple and direct way to discover how to implement the security features of the solutions you already have in your stack.
So before you begin researching new applications and start filling out those requisition forms, do yourself a favor. Take a close look at what you’ve got at your disposal. Call your vendors and talk to them about the tools you’ve purchased. There’s a good chance you may already have what you need.
David Egts is chief technologist, North American Public Sector, Red Hat