March 30, 2016 By Bob Kalka 4 min read

This is Part 2 of a two-part series. Be sure to read Part 1 for the full story.

What is the consumability crisis? Simply stated, as the IT security function forcibly broadens its aperture from check boxes of compliance goals to frameworks of risk management controls, it is unable to effectively consume this far wider mandate. Neither IT security nor IT operations has the skills needed to get this done.

IT Teams Can’t Find the Right Skills

According to CSO Online, an analysis of U.S. Bureau of Labor Statistics data found that “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years.” Furthermore, recent studies estimate that there may be more than 1.5 million unfilled cybersecurity jobs by the end of the decade.

More tactically, a recent study from 451 Research shared that security leaders “reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent).” Because of this, less than one-fourth of organizations have internal 24/7 monitoring in place.

So what can be done? Experience shows that the two core requirements to address this consumability crisis are quite simple to articulate: Wisdom + Horsepower = Consumability.

In other words, organizations require the wisdom to understand the optimal path to follow in the long quest toward proper risk management. This ensures time is not wasted pursuing short-term fixes that prevent a more effective and comprehensive approach from being realized. Horsepower is then required to actually implement the resulting controls, preferably in an automated manner.

Unfortunately, both IT security and IT operations are lacking in these areas.

Organizational Dynamics Are Taking a Profound Turn

IT operations is generally focused on supporting business innovation and availability within an optimized cost structure. Security operational investments are typically seen as fitting into the latter category — cost optimization. Thus, when IT security leaders use their newfound influence and budget to inevitably present a far broader set of requirements for wisdom and horsepower on the IT operations team, the resulting organizational dynamics are dramatic, if not dysfunctional.

IT operations simply cannot consume the majority of the expanded requirements. This is driving the IT security leader — who must answer to expectant board, C-level and business executives — to consider seemingly radical approaches that would not have been in the picture just a couple of years ago.

These alternatives are similar to the business revolution focused on using cloud-based services because they are cloud-based services, in this case, for implementing highly sensitive risk management controls. These cloud-based approaches are taking on three basic forms: on-premises managed security services (MSS), hybrid cloud off-premises MSS and security-as-a-service (SECaaS).

With MSS, the most significant dynamic change is that IT security leaders are expanding beyond the traditional MSS domains of network and endpoint security into areas that would never have been considered before, such as user security via identity and access management (IAM) and security intelligence and analytics.

MSS for IAM has been a tiny niche market since the late 2000s, but innovations and a growing maturity have changed the art of the possible over the past few years. For example, one of the world’s largest automobile manufacturers successfully launched a new client portal for its millions of users with all IAM capability delivered from the cloud.

MSS for security intelligence and analytics has also emerged in the past two to three years as firms look for greater risk management insight. Organizations have quickly realized that hiring the skills and operational capabilities of third parties is far more efficient than trying to deliver from scratch in-house.

But the biggest surprise of all is SECaaS, which delivers both wisdom and horsepower with a financially attractive business model. While Web fraud detection (especially for financial services) and mobile device management (MDM) capabilities have been maturely handled by SECaaS solutions for several years, there is growing interest in it across the entire IT security landscape, particularly in security intelligence and analytics, cloud security and application security.

As more IT security leaders hear about or witness the quick time-to-value and relatively lower investment that SECaaS solutions are now delivering, essentially addressing their consumability issues, one can easily imagine a time when SECaaS becomes the choice for the industry.

Making Sense of Organizational Confusion

The one element that may significantly accelerate this shift toward SECaaS-based offerings is organizational dysfunction. Many IT security leaders that I talk to today are nervous about embracing pure-play SECaaS solutions, but their main alternative is to work with the IT operations team. I’m witnessing many cases where IT operations’ functional response to the IT security leader’s growing power is resistance, not teamwork and joint problem-solving.

For example, I often see pushback from IT operations to new security requirements in terms of both process and operations. Process-wise, I’ve seen new IT security requirements sent to IT governance committees, where they can languish for months or longer. Operations-wise, IT operations introduce uncontainable requirements such as time or manpower constraints.

Don’t misunderstand me; IT operations must run well-governed systems that ensure the high availability of the firm’s operations. This is paramount. However, closed-door discussions often reveal that there is some extra energy in these discussions that is driving an understandable — yet ultimately dysfunctional — pushback on IT security’s stronger demands.

Cloud-based services give the IT security leader the option to avoid the IT operations function altogether for new services.

How Organizations Should Functionally Address the Consumability Challenge

IT security leaders must have a clear view of which set of risk management controls are most important for them based on aligning their function with the business priorities of the firm. Here, involving experts for wisdom is particularly crucial for ensuring a pragmatic viewpoint.

Second, IT operations leaders must decide and take action on whether they want to be directly involved in any cloud-based service provisioning and management or if they want to leave that to the IT security function. Third, IT security and IT operations leaders must meet frequently and regularly for open discussions on which risk management controls IT operations can assist with and which must be addressed through alternate means.

Finally, IT security leaders must ensure that the needed horsepower (capability) is planned and delivered for all selected risk management controls, whether delivered on-premises or via MSS or SECaaS.

With this approach, an organization can address its consumability challenge for IT security with greater pragmatism and efficiency — and return the IT security function from Coventry.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today