March 30, 2016 By Bob Kalka 4 min read

This is Part 2 of a two-part series. Be sure to read Part 1 for the full story.

What is the consumability crisis? Simply stated, as the IT security function forcibly broadens its aperture from check boxes of compliance goals to frameworks of risk management controls, it is unable to effectively consume this far wider mandate. Neither IT security nor IT operations has the skills needed to get this done.

IT Teams Can’t Find the Right Skills

According to CSO Online, an analysis of U.S. Bureau of Labor Statistics data found that “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years.” Furthermore, recent studies estimate that there may be more than 1.5 million unfilled cybersecurity jobs by the end of the decade.

More tactically, a recent study from 451 Research shared that security leaders “reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent).” Because of this, less than one-fourth of organizations have internal 24/7 monitoring in place.

So what can be done? Experience shows that the two core requirements to address this consumability crisis are quite simple to articulate: Wisdom + Horsepower = Consumability.

In other words, organizations require the wisdom to understand the optimal path to follow in the long quest toward proper risk management. This ensures time is not wasted pursuing short-term fixes that prevent a more effective and comprehensive approach from being realized. Horsepower is then required to actually implement the resulting controls, preferably in an automated manner.

Unfortunately, both IT security and IT operations are lacking in these areas.

Organizational Dynamics Are Taking a Profound Turn

IT operations is generally focused on supporting business innovation and availability within an optimized cost structure. Security operational investments are typically seen as fitting into the latter category — cost optimization. Thus, when IT security leaders use their newfound influence and budget to inevitably present a far broader set of requirements for wisdom and horsepower on the IT operations team, the resulting organizational dynamics are dramatic, if not dysfunctional.

IT operations simply cannot consume the majority of the expanded requirements. This is driving the IT security leader — who must answer to expectant board, C-level and business executives — to consider seemingly radical approaches that would not have been in the picture just a couple of years ago.

These alternatives are similar to the business revolution focused on using cloud-based services because they are cloud-based services, in this case, for implementing highly sensitive risk management controls. These cloud-based approaches are taking on three basic forms: on-premises managed security services (MSS), hybrid cloud off-premises MSS and security-as-a-service (SECaaS).

With MSS, the most significant dynamic change is that IT security leaders are expanding beyond the traditional MSS domains of network and endpoint security into areas that would never have been considered before, such as user security via identity and access management (IAM) and security intelligence and analytics.

MSS for IAM has been a tiny niche market since the late 2000s, but innovations and a growing maturity have changed the art of the possible over the past few years. For example, one of the world’s largest automobile manufacturers successfully launched a new client portal for its millions of users with all IAM capability delivered from the cloud.

MSS for security intelligence and analytics has also emerged in the past two to three years as firms look for greater risk management insight. Organizations have quickly realized that hiring the skills and operational capabilities of third parties is far more efficient than trying to deliver from scratch in-house.

But the biggest surprise of all is SECaaS, which delivers both wisdom and horsepower with a financially attractive business model. While Web fraud detection (especially for financial services) and mobile device management (MDM) capabilities have been maturely handled by SECaaS solutions for several years, there is growing interest in it across the entire IT security landscape, particularly in security intelligence and analytics, cloud security and application security.

As more IT security leaders hear about or witness the quick time-to-value and relatively lower investment that SECaaS solutions are now delivering, essentially addressing their consumability issues, one can easily imagine a time when SECaaS becomes the choice for the industry.

Making Sense of Organizational Confusion

The one element that may significantly accelerate this shift toward SECaaS-based offerings is organizational dysfunction. Many IT security leaders that I talk to today are nervous about embracing pure-play SECaaS solutions, but their main alternative is to work with the IT operations team. I’m witnessing many cases where IT operations’ functional response to the IT security leader’s growing power is resistance, not teamwork and joint problem-solving.

For example, I often see pushback from IT operations to new security requirements in terms of both process and operations. Process-wise, I’ve seen new IT security requirements sent to IT governance committees, where they can languish for months or longer. Operations-wise, IT operations introduce uncontainable requirements such as time or manpower constraints.

Don’t misunderstand me; IT operations must run well-governed systems that ensure the high availability of the firm’s operations. This is paramount. However, closed-door discussions often reveal that there is some extra energy in these discussions that is driving an understandable — yet ultimately dysfunctional — pushback on IT security’s stronger demands.

Cloud-based services give the IT security leader the option to avoid the IT operations function altogether for new services.

How Organizations Should Functionally Address the Consumability Challenge

IT security leaders must have a clear view of which set of risk management controls are most important for them based on aligning their function with the business priorities of the firm. Here, involving experts for wisdom is particularly crucial for ensuring a pragmatic viewpoint.

Second, IT operations leaders must decide and take action on whether they want to be directly involved in any cloud-based service provisioning and management or if they want to leave that to the IT security function. Third, IT security and IT operations leaders must meet frequently and regularly for open discussions on which risk management controls IT operations can assist with and which must be addressed through alternate means.

Finally, IT security leaders must ensure that the needed horsepower (capability) is planned and delivered for all selected risk management controls, whether delivered on-premises or via MSS or SECaaS.

With this approach, an organization can address its consumability challenge for IT security with greater pragmatism and efficiency — and return the IT security function from Coventry.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today