You’ve probably heard the cliché, “He with the most toys when he dies, wins.” The same cannot be said for software applications and security tools, however.
There is no honor–and no sense–in having the largest portfolio of applications and tools. That’s because having too many programs and tools is expensive, complex to manage, and extremely vulnerable to cybersecurity problems. So if your technical teams are being asked to manage sprawling empires of applications and security tools, at very least you might want to do some spring cleaning. Or, you might want to take a more strategic approach, and dramatically rethink, re-prioritize, and re-architect your software portfolios. And let’s be clear: This is not just a job for your CIO or CISO. It’s something business executives must get behind and show real leadership.
Whatever approach you decide, do it as soon as possible. Maintaining your status quo–and letting application and tool sprawl become an even bigger problem–is a ticket to organizational chaos.
There was a time, not that long ago, when bigger was better in IT: bigger data centers, bigger hardware infrastructure, bigger enterprise applications, bigger networks, and bigger portfolios of software packages and security tools. Got a problem? There’s an app (or a tool) for that.
Just how many apps does a typical enterprise have in use? That has become increasingly difficult to pinpoint due to a variety of factors, including shadow IT, the pervasive use of public cloud applications, and the ubiquitous bring-your-own-device/application trend. One data point put this number at 508 applications–and that figure was from four years ago. Undoubtedly, the popularity of public cloud services has caused that number to skyrocket in recent years. In fact, research indicates that the average enterprise uses an astonishing 91 cloud services just for marketing.
The implications of this “application bloat” are too important to ignore, given the costs for subscriptions, maintenance, support and more.
“The days of measuring your effectiveness and readiness by the number of applications you’re managing are over,” said Naveen Zutshi, Palo Alto Networks’ Chief Information Officer. “It’s an antiquated, completely wrong approach because ‘bigness’ in this area is actually a boat anchor. It makes the organization less nimble, less able to respond quickly to new opportunities and new threats. And it ends up a colossal waste of effort, personnel, and money.”
“Colossal” also is an apt term to describe many enterprises’ applications portfolio. The sources of software applications are more numerous and diverse than ever: hundreds or even thousands of off-the-shelf applications, home-grown programs, SaaS-based apps and, with alarming frequency, software that seems to magically take root in shadow IT efforts.
Any decent-sized organizations is likely to have thousands of applications located in corporate data centers, stand-alone departmental systems, remote computing centers and, of course, the cloud. The cloud, in particular, is a huge contributor to the number of new applications emerging throughout the enterprise: Research indicates that the average enterprise is deploying and running applications in nearly 5 different clouds.
And security tools present a similarly challenging scenario. Data compiled in a survey with banking industry cybersecurity leaders notes that more than a third of organizations are using between 51 and 100 security tools. That’s a stunning number: What organizations have the time and personnel to manage that many security tools? Or, put another way, why would you even want to?
So, what should business leaders, CIOs, CISOs, and their teams do about this?
“Just like you clean up your home from time to time as you discover that you’ve accumulated things you either no longer use or can’t remember why you got them in the first place, you have to tidy up your applications portfolio and your security tool kits,” said Zutshi.
“Collecting more and more of these programs and tools over time inevitably leads to operational complexity, duplication of efforts, and wasted budget,” he added. “And from a security standpoint, the difficulty in understanding and managing all these applications often leads to increased vulnerabilities in your security posture. You might have redundancies and you might have gaps, but you often simply don’t know.”
Once executives understand that they have this problem and that it poses a significant set of challenges, it’s time to take action. And those actions should include:
- Take a full, comprehensive inventory of all applications and tools. This seems like a simple place to start, but it’s not simple to actually pull off, considering that those applications can reside–or hide–anywhere on your infrastructure, in the cloud, or even on an employee’s home network. And be sure to account for software and tools that have “magically” made their way into your portfolio through shadow IT.
- Establish the economic value. You’ll need to calculate the financial benefit of having that application or tool, versus the cost to purchase, deploy, and manage it. And if your technical teams can quantify the financial benefit, it might be a good sign that you need to get rid of that tool.
- Create a cybersecurity value-to-risk matrix. Some security tools may be doing their jobs well, but they might be deployed against a risk that no longer is that imposing to the enterprise. And modern cybersecurity tools have become much more multi-functional, rendering legacy point products obsolete. Consider replacing those single-purpose tools with multi-faceted security platforms that address multiple needs and are far more flexible.
As you conduct your applications and tools inventory, and after you calculate the economic value of each application and tool, you’ll need to find a way to reconcile all these findings and establish a viable action plan for each. You must be able to assess each application and tool and determine if the organization should:
- Keep it. The product either fills a strategic role and is working well, or provides a unique capability that cannot be easily replicated or improved by another existing solution in your portfolio.
- Modernize it. After your inventory, you’ll undoubtedly discover that the organization is maintaining (and still paying charges for, by the way) a lot of old stuff. Again, if it’s something that you still need, you may determine that you need to either modernize it or, perhaps, replace it with a different product from a different supplier to do the same thing, but in a more efficient, agile, scalable, and secure manner.
- Toss it. Just because you finished paying for an app or a tool years ago doesn’t mean it doesn’t cost you anything. There are likely maintenance fees, per-user fees, or subscription costs still showing up, so don’t be hesitant to get rid of an older product just because you think it’s “free.” If the tool or program no longer plays an important role in your business operation, or its functions are largely performed by other, modernized tools you’ve added, make the decision to end-of-life it, and don’t look back.
Think about how good you feel when you go through your closets, storage spaces, or garage at home, and you clean up old stuff you no longer need. You can get that same feeling of satisfaction when you do a full inventory of your applications and tools, rationalize their ongoing value, and make a decision on their future.
After all, you can’t take it with you.
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.