This is Part 2 of a two-part series. Be sure to read Part 1 for the full story.
What is the consumability crisis? Simply stated, as the IT security function forcibly broadens its aperture from check boxes of compliance goals to frameworks of risk management controls, it is unable to effectively consume this far wider mandate. Neither IT security nor IT operations has the skills needed to get this done.
IT Teams Can’t Find the Right Skills
According to CSO Online, an analysis of U.S. Bureau of Labor Statistics data found that “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years.” Furthermore, recent studies estimate that there may be more than 1.5 million unfilled cybersecurity jobs by the end of the decade.
More tactically, a recent study from 451 Research shared that security leaders “reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent).” Because of this, less than one-fourth of organizations have internal 24/7 monitoring in place.
So what can be done? Experience shows that the two core requirements to address this consumability crisis are quite simple to articulate: Wisdom + Horsepower = Consumability.
In other words, organizations require the wisdom to understand the optimal path to follow in the long quest toward proper risk management. This ensures time is not wasted pursuing short-term fixes that prevent a more effective and comprehensive approach from being realized. Horsepower is then required to actually implement the resulting controls, preferably in an automated manner.
Unfortunately, both IT security and IT operations are lacking in these areas.
Organizational Dynamics Are Taking a Profound Turn
IT operations is generally focused on supporting business innovation and availability within an optimized cost structure. Security operational investments are typically seen as fitting into the latter category — cost optimization. Thus, when IT security leaders use their newfound influence and budget to inevitably present a far broader set of requirements for wisdom and horsepower on the IT operations team, the resulting organizational dynamics are dramatic, if not dysfunctional.
IT operations simply cannot consume the majority of the expanded requirements. This is driving the IT security leader — who must answer to expectant board, C-level and business executives — to consider seemingly radical approaches that would not have been in the picture just a couple of years ago.
These alternatives are similar to the business revolution focused on using cloud-based services because they are cloud-based services, in this case, for implementing highly sensitive risk management controls. These cloud-based approaches are taking on three basic forms: on-premises managed security services (MSS), hybrid cloud off-premises MSS and security-as-a-service (SECaaS).
With MSS, the most significant dynamic change is that IT security leaders are expanding beyond the traditional MSS domains of network and endpoint security into areas that would never have been considered before, such as user security via identity and access management (IAM) and security intelligence and analytics.
MSS for IAM has been a tiny niche market since the late 2000s, but innovations and a growing maturity have changed the art of the possible over the past few years. For example, one of the world’s largest automobile manufacturers successfully launched a new client portal for its millions of users with all IAM capability delivered from the cloud.
MSS for security intelligence and analytics has also emerged in the past two to three years as firms look for greater risk management insight. Organizations have quickly realized that hiring the skills and operational capabilities of third parties is far more efficient than trying to deliver from scratch in-house.
But the biggest surprise of all is SECaaS, which delivers both wisdom and horsepower with a financially attractive business model. While Web fraud detection (especially for financial services) and mobile device management (MDM) capabilities have been maturely handled by SECaaS solutions for several years, there is growing interest in it across the entire IT security landscape, particularly in security intelligence and analytics, cloud security and application security.
As more IT security leaders hear about or witness the quick time-to-value and relatively lower investment that SECaaS solutions are now delivering, essentially addressing their consumability issues, one can easily imagine a time when SECaaS becomes the choice for the industry.
Making Sense of Organizational Confusion
The one element that may significantly accelerate this shift toward SECaaS-based offerings is organizational dysfunction. Many IT security leaders that I talk to today are nervous about embracing pure-play SECaaS solutions, but their main alternative is to work with the IT operations team. I’m witnessing many cases where IT operations’ functional response to the IT security leader’s growing power is resistance, not teamwork and joint problem-solving.
For example, I often see pushback from IT operations to new security requirements in terms of both process and operations. Process-wise, I’ve seen new IT security requirements sent to IT governance committees, where they can languish for months or longer. Operations-wise, IT operations introduce uncontainable requirements such as time or manpower constraints.
Don’t misunderstand me; IT operations must run well-governed systems that ensure the high availability of the firm’s operations. This is paramount. However, closed-door discussions often reveal that there is some extra energy in these discussions that is driving an understandable — yet ultimately dysfunctional — pushback on IT security’s stronger demands.
Cloud-based services give the IT security leader the option to avoid the IT operations function altogether for new services.
How Organizations Should Functionally Address the Consumability Challenge
IT security leaders must have a clear view of which set of risk management controls are most important for them based on aligning their function with the business priorities of the firm. Here, involving experts for wisdom is particularly crucial for ensuring a pragmatic viewpoint.
Second, IT operations leaders must decide and take action on whether they want to be directly involved in any cloud-based service provisioning and management or if they want to leave that to the IT security function. Third, IT security and IT operations leaders must meet frequently and regularly for open discussions on which risk management controls IT operations can assist with and which must be addressed through alternate means.
Finally, IT security leaders must ensure that the needed horsepower (capability) is planned and delivered for all selected risk management controls, whether delivered on-premises or via MSS or SECaaS.
With this approach, an organization can address its consumability challenge for IT security with greater pragmatism and efficiency — and return the IT security function from Coventry.
Vice President, IBM Security Business Unit
Bob Kalka, CRISC, is a Vice President in the IBM Security Business Unit. He has been involved in the information security industry for 20 of his 25 years wit...