The 100 Coins Project: Fortinet’s Phil Quade on How to Design and Optimize a Cybersecurity Portfolio

Summary: 

  • Fortinet and Early Adopter Research have extended Fortinet’s 100 Coins research into designing and optimizing a cybersecurity portfolio.
  • The resulting report captures detailed thinking from three leading CISOs about how to make the difficult decisions and tradeoffs when allocating a fixed amount of money across a portfolio.
  • This article summarizes Fortinet CISO Phil Quade’s ideas about cybersecurity portfolio design, including the framework used in his upcoming book.

Much of a CISO’s time is spent solving urgent needs, seeking out talent that is hard to come by, and keeping track of a fast-moving landscape of threats and capabilities. Little time is left for taking a philosophical view.

Phil Quade is an exception to this pattern. He makes a practice of keeping his hands dirty with the work of being CISO for Fortinet, a leading cybersecurity vendor, but also finds time for exploring the philosophy of cybersecurity.

When we decided to work with Fortinet to expand their 100 coins research, Quade was the first person we talked to.

What Is the Fortinet 100 Coins Project?

Fortinet’s 100 Coins research project asked a group of leading CISOs to allocate a budget of 100 coins over 25 categories of cybersecurity capabilities. The inspiration for this approach came from Quade’s experience doing similar exercises during his 34-year tenure at the National Security Agency.

Fortinet’s 100 Coins project started at the RSA conference two years ago when a few CISOs were asked to allocate 100 coins, that is, units of cybersecurity spending, over 25 different categories of cybersecurity capabilities. This exercise was repeated at another conference until a total of 7 CISOs participated.

When I first looked at the research some interesting trends popped out. The CISOs allocated most of their spending to:

  • Automated vulnerability scanning
  • Multi-factor authentication
  • Incident response capabilities

But to me, the most important question was why the spend was allocated this way. I have been studying how CISOs design and optimize portfolios as part of the Early Adopter Research Mission, Creating A Balanced Cybersecurity Portfolio. I started this research mission to explore in detail over an extended period the choices and issues CISOs face as they rebalance their portfolios.

It seemed to me that there was a clear next step to the 100 Coins project: analyzing why CISOs made the decisions they did. So while working with Fortinet on some content projects, I asked if we could interview some of the CISOs who participated.

Extending the 100 Coins Research

The Early Adopter Research team then did lengthy interviews with Phil Quade, Shannon Lietz of Intuit, and Teresa Payton of Fortalice.

Our goal was to dive deeper into how CISOs think. Each of these CISOs explained how they go about making decisions when designing and optimizing a cybersecurity portfolio. We collected the thinking from these CISOs in this report: Creating the Ideal Cybersecurity Portfolio: Leading CISOs Reveal Their Priorities.

The thinking of the CISOs was captured in two main sections.

The “Portfolio Goals, Priorities, and Tradeoffs” section provides advice and analysis is provided on a variety of key topics including how to:

  • Create a hierarchy of needs
  • Start with the worst case
  • Decide where to play offense and where to play defense

The “Aspects of the Ideal Solution” section focuses on key qualities of the cybersecurity solutions such as:

  • Matching solutions to your maturity
  • When to adopt leading-edge capabilities
  • Platform readiness

Please see these stories for summaries of what Lietz and Payton had to say:

In the rest of this story, we examine how Quade approaches the challenge of designing and optimizing a portfolio in the modern world. 

Phil Quade’s Ideas about Cybersecurity Portfolio Design and Optimization 

Quade’s goal of minimizing complexity leads him to prefer holistic and integrated cybersecurity products. He avoids siloed solutions that either add to the complexity of a solution that overwhelmed and under resourced IT teams are already struggling to manage (expo floor overload), don’t participate as part of an integrated security strategy needed to combat today’s increasingly complex threats (hivenets and swarmbots), or don’t contribute to the broad visibility required to effectively manage a distributed security infrastructure.

The ideal solution ties things together into a seamless security fabric that can see across the network, track all devices, share intelligence; centralize policy distribution, management and correlation; and respond to threats in an automated and coordinated fashion, from IoT and endpoint devices, across the distributed and elastic network core, and out to the multi-cloud.

This type of solution represents the third wave of cybersecurity. 

“The third wave is an integrated, responsive approach. The way you supercharge that is by adding specialized insights into threats, because the adversary’s not sitting around statically.  His threats are constantly changing, his signatures are constantly changing,” said Quade. “The integration strategy, based on the fabric infrastructure, has those two primary benefits. Number one, it provides a more powerful defense by defending as a team, and number two, it reduces complexity by making it easier to configure.” 

For the same reasons Quade is attracted to holistic solutions, he avoids choosing a large number of highly focused, best of breed point solutions because It increases complexity. “What we’ve learned is that it is possible to become a slave to those best-of-breed solutions, because they can be so complex to operate and are not focused on integration. In certain cases, you end up spending too much operating expenses on all these different solutions, and not enough money on the core business,” said Quade.

Quade is also concerned with matching the complexity of implementation and management to the maturity of the cybersecurity organization. “You don’t want to bring in a really advanced control if your company can’t handle it, because it’s just going to get aborted,” said Quade. “You have to right-size it a little bit, considering how much do you really need.” Quade believes that that maturity of a cybersecurity staff and of solutions can is indicated by how much of the configuration takes place at a higher level of abstraction. Each of the products in a mature portfolio is able to do one or two things that fit into a larger playbook. All of the products work together and support each other. In an immature portfolio, each product stands alone.

Quade also advises to be sure that the components tightly related to security, such as the network, are ready for integration and adaptation in response to security events. “You don’t want to have to defend at the time and the place of your adversary’s choosing. You want to choose your point of strength, which might be different from where you’re being attacked.  You can only do that if your defenses are integrated, if they can talk to each other and collaborate during their defense. So integration has two primary benefits. Number one, it provides a stronger defense by allowing you to do defense as a team.  And number two, it helps decrease complexity, for obvious reasons; you’re not required to manage a whole bunch of different point products.”

Quade is eager to have a portfolio that implements sophisticated segmentation, but only if that can take place without compromising performance. “Segmentation is eminently doable, but it must be implemented so it doesn’t reduce the speed and potential for integration of the portfolio,” said Quade. “Everything has to be really, really fast and very well-connected.  The segmentation process is about sorting the assets into natural groups.”

  • Start by doing an inventory of assets.  
  • Identify the most important assets. 
  • Segment them off with increasing granularity.  

“You can keep getting better and better at segmentation, with every new investment, every six months, every quarter, every year, as long as you’re doing it with a built-in complexity management schema. You can get better and better every year, as more money becomes available.” 

Quade also recommends that segmentation be implemented with deception. “But you also need deception. Deception technology is about causing the attacker to spend more time going down rat holes, in doing so reveal themselves to you and ultimately make yourself a less attractive target.” 

Please download the report to get all of Quade’s insights along with those of the other two CISOs.