Layered security is currently considered a best practice for enterprises, since a single layer of defense against attackers is no longer enough. Sometimes, however, these layers can have unintended consequences and even make a company less secure than before.
Jason Brvenik, principal engineer in the Cisco Security Business Group, said that he's seen organizations with as many as 80 different security technologies applied in layers.
"The proliferation of best of breed technologies creates security technology sprawl in pursuit of layered security and defense in depth," he said. "We see plenty of examples and sprawl and operational cost rising, where the technologies tend to conflict with each other."
Security practitioners have been talking about layered security for decades, said Brian Contos, Chief Security Strategist and SVP Field Engineer at Foster City, Calif.-based Norse Corp., a cybersecurity intelligence firm founded by former law enforcement and intel officials.
"While academically this makes sense," he added, "if done incorrectly, it leads to the number one enemy of security: complexity."
Without an overall plan in mind, it's easy to overspend on individual products, to buy overlapping systems, or to leave unsecured gaps between layers.
"It's very common for security organizations to jump at technologies that address 'the monster of the week' but don't have broader value," said Carson Sweet, co-founder and CEO at San Francisco-based CloudPassage, Inc. "Keeping long-term perspective is extremely important, especially with point vendors pounding at security buyers about the latest FUD."
Cisco's Brvenik pointed out another problem with purchasing too many technologies, that of unmanaged or undermanaged systems.
Companies buy a technology in order to meeting a compliance need, or fill a security gap, or check off an item on a list, without budgeting or staffing the system's implementation or ongoing management. Then they forget about it, he said.
Not only is this a waste of money, but it actually hurts a company's security posture.
"You're creating opportunities for blind spots, because you think you mitigated that risk, but you haven't maintained a solid presence there," he said.
And even well-managed layers can create problems within an organization, said Jerry Irvine, CIO at Chicago-based security vendor Prescient Solutions.
Different security systems require different kinds of expertise, and the larger the organization, and the more systems there are in place, the more possibilities there are for conflicts -- especially when some of the systems are managed by different companies, such as outsourcers, cloud vendors, or other service providers.
Each security team focuses on its own security task, and this can interfere with that of other groups and with enterprise operations.
"Groups saddled with the responsibility of physical security may tighten down access controls to the point where applications and systems are affected, causing failure or extreme performance issues," Irvine said. "And when separate groups within the organization are responsible for the application they frequently open up access at the lower levels to assure connectivity, but increasing the overall vulnerability of the environment."
Sign up for CIO Asia eNewsletters.