This is Part 2 of a two-part series. Be sure to read Part 1 for the full story.

What is the consumability crisis? Simply stated, as the IT security function forcibly broadens its aperture from check boxes of compliance goals to frameworks of risk management controls, it is unable to effectively consume this far wider mandate. Neither IT security nor IT operations has the skills needed to get this done.

IT Teams Can’t Find the Right Skills

According to CSO Online, an analysis of U.S. Bureau of Labor Statistics data found that “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years.” Furthermore, recent studies estimate that there may be more than 1.5 million unfilled cybersecurity jobs by the end of the decade.

More tactically, a recent study from 451 Research shared that security leaders “reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent).” Because of this, less than one-fourth of organizations have internal 24/7 monitoring in place.

So what can be done? Experience shows that the two core requirements to address this consumability crisis are quite simple to articulate: Wisdom + Horsepower = Consumability.

In other words, organizations require the wisdom to understand the optimal path to follow in the long quest toward proper risk management. This ensures time is not wasted pursuing short-term fixes that prevent a more effective and comprehensive approach from being realized. Horsepower is then required to actually implement the resulting controls, preferably in an automated manner.

Unfortunately, both IT security and IT operations are lacking in these areas.

Organizational Dynamics Are Taking a Profound Turn

IT operations is generally focused on supporting business innovation and availability within an optimized cost structure. Security operational investments are typically seen as fitting into the latter category — cost optimization. Thus, when IT security leaders use their newfound influence and budget to inevitably present a far broader set of requirements for wisdom and horsepower on the IT operations team, the resulting organizational dynamics are dramatic, if not dysfunctional.

IT operations simply cannot consume the majority of the expanded requirements. This is driving the IT security leader — who must answer to expectant board, C-level and business executives — to consider seemingly radical approaches that would not have been in the picture just a couple of years ago.

These alternatives are similar to the business revolution focused on using cloud-based services because they are cloud-based services, in this case, for implementing highly sensitive risk management controls. These cloud-based approaches are taking on three basic forms: on-premises managed security services (MSS), hybrid cloud off-premises MSS and security-as-a-service (SECaaS).

With MSS, the most significant dynamic change is that IT security leaders are expanding beyond the traditional MSS domains of network and endpoint security into areas that would never have been considered before, such as user security via identity and access management (IAM) and security intelligence and analytics.

MSS for IAM has been a tiny niche market since the late 2000s, but innovations and a growing maturity have changed the art of the possible over the past few years. For example, one of the world’s largest automobile manufacturers successfully launched a new client portal for its millions of users with all IAM capability delivered from the cloud.

MSS for security intelligence and analytics has also emerged in the past two to three years as firms look for greater risk management insight. Organizations have quickly realized that hiring the skills and operational capabilities of third parties is far more efficient than trying to deliver from scratch in-house.

But the biggest surprise of all is SECaaS, which delivers both wisdom and horsepower with a financially attractive business model. While Web fraud detection (especially for financial services) and mobile device management (MDM) capabilities have been maturely handled by SECaaS solutions for several years, there is growing interest in it across the entire IT security landscape, particularly in security intelligence and analytics, cloud security and application security.

As more IT security leaders hear about or witness the quick time-to-value and relatively lower investment that SECaaS solutions are now delivering, essentially addressing their consumability issues, one can easily imagine a time when SECaaS becomes the choice for the industry.

Making Sense of Organizational Confusion

The one element that may significantly accelerate this shift toward SECaaS-based offerings is organizational dysfunction. Many IT security leaders that I talk to today are nervous about embracing pure-play SECaaS solutions, but their main alternative is to work with the IT operations team. I’m witnessing many cases where IT operations’ functional response to the IT security leader’s growing power is resistance, not teamwork and joint problem-solving.

For example, I often see pushback from IT operations to new security requirements in terms of both process and operations. Process-wise, I’ve seen new IT security requirements sent to IT governance committees, where they can languish for months or longer. Operations-wise, IT operations introduce uncontainable requirements such as time or manpower constraints.

Don’t misunderstand me; IT operations must run well-governed systems that ensure the high availability of the firm’s operations. This is paramount. However, closed-door discussions often reveal that there is some extra energy in these discussions that is driving an understandable — yet ultimately dysfunctional — pushback on IT security’s stronger demands.

Cloud-based services give the IT security leader the option to avoid the IT operations function altogether for new services.

How Organizations Should Functionally Address the Consumability Challenge

IT security leaders must have a clear view of which set of risk management controls are most important for them based on aligning their function with the business priorities of the firm. Here, involving experts for wisdom is particularly crucial for ensuring a pragmatic viewpoint.

Second, IT operations leaders must decide and take action on whether they want to be directly involved in any cloud-based service provisioning and management or if they want to leave that to the IT security function. Third, IT security and IT operations leaders must meet frequently and regularly for open discussions on which risk management controls IT operations can assist with and which must be addressed through alternate means.

Finally, IT security leaders must ensure that the needed horsepower (capability) is planned and delivered for all selected risk management controls, whether delivered on-premises or via MSS or SECaaS.

With this approach, an organization can address its consumability challenge for IT security with greater pragmatism and efficiency — and return the IT security function from Coventry.

More from Risk Management

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime?Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service.What is Container Drift?When deploying an application within…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…