It’s Monday morning and you come into the office to find there has been a security breach. Your team fixes it, and later the CIO hauls you into her office to ask why the automated tools didn’t block the attack. You go away promising to investigate a new tool suite that will stop any further breaches.

That’s another tool to install, host, administer and monitor. Are tools the answer or do they just create more work for already over-stretched IT security teams?

“Adding more security tools to the network can, in fact, make it far more difficult for IT security personnel to manage the multiple security appliances on their network, creating vulnerability and introducing more risk,” said Peter Doggart, director of Product Marketing at security platform company Crossbeam. “Cost and complexity are among the biggest challenges facing security teams today. Security infrastructures have evolved one problem at a time, slowly adding new pieces of technology to address each emerging threat, leading to complex network sprawl.”

When hackers first appeared, firewalls were created to defend the perimeter, Doggart explained. When worms and other malware appeared, intrusion prevention systems (IPS) were created to discover and block them. And with every ensuing problem -- spam, viruses, malicious web content, spyware and so on -- new solutions were added to the infrastructure in the form of appliances to stop them.

Now companies find themselves with an incredibly complex and costly security infrastructure. “Network sprawl” needs managing, and that is a time consuming effort; time that could be better spent focusing on proactive security and enabling the business to work as effectively as possible.

“There is a false sense of security that can come with deploying security tools,” he says. “Tools are tools -- they only help automate a function and they are fallible," said Ed Adams, president and CEO of application security company Security Innovation.

The administration of security tools is a significant management overhead, continued Adams. The monitoring and assessment of the output of tools needs human intervention.

“Many scanners generate reports of vulnerabilities that are false: both marking security vulnerabilities that aren't real vulnerabilities, and missing vulnerabilities that are there,” he said. “Why put a jackhammer in the hands of an untrained laborer? We see tools like Web vulnerability scanners rolled out before any training takes place. The result is that the team doesn't know how to interpret the results, the developers don't know how to fix the problems found by the tool, and they don't know how to code the Web app securely so the same problems don't show up the next time the scan is run.”

Simplifying security tools

“The challenge with many of the security tools available today is they have so many features and capabilities,” said Robbie Higgins, VP of Security Services at consulting firm GlassHouse Technologies. “This presents a challenge for many organizations around what specifically they need to focus their security management efforts on. Most organizations would be best served to figure out what are the critical hardware, applications and data that they need to focus on and then monitor and report specifically on their status.”

Understanding the critical systems and what is important to the company will also help you focus investments in the right direction.

“I think organizations need to pay a lot more attention to the IT management costs when making purchasing decisions,” said Avishai Wool, CTO at AlgoSec, a network security policy management company. “At the end of the day, firewalls from the major vendors perform quite similarly. But there are significant differences in the management systems.”

A tool suite from a single vendor can reduce the training and management overhead. It can also lower the long term IT costs as you can typically negotiate better rates by taking more products and you’ll save time as you don’t have to maintain relationships with multiple vendors.

“An intelligent domain-specific change workflow system that is integrated with the security devices can do wonders to the change process surrounding network security devices,” said Wool.

Security through education

Adding more tools to the IT estate also increases the workload for administrators, and thus the opportunity for them to make mistakes. Check that any new tools come with the option of training ... and use it.

“With the advancement of many security tools, the real work to make them operate optimally within your environment begins after they have been installed and setup,” said Higgins. “In many cases, the cost to operationally setup the specific correlation and event rules takes a lot more effort and cost than originally anticipated.”

Educating non-IT staff about security is just as important as having the right tools. One way to do that is to highlight what could go wrong if security is breached due to the actions of staff members.

“Most organizations are motivated by data protection,” said Adams. “Mapping security spend into the risk management framework in use at an organization is a great way to justify and judge investment decisions. Threat modeling is a great thing to use here. It's a valuable process for understanding risks in an IT infrastructure, and it's a persistent asset that can be used time and again.”

Elizabeth Harrin is Computer Weekly's IT Blogger of the Year 2010. She is also director of The Otobos Group, a business writing consultancy specializing in IT and project management. She's the author of "Social Media for Project Managers " and "Project Management in the Real World." She has a decade of experience in IT and business change functions in healthcare and financial services, and is ITIL v3 Foundation certified.