In the past, enterprise cybersecurity responsibilities were tilted toward oversight rather than hands-on operations and technology procurement. Security analysts were counted on for incident detection and response, but aside from this function, CISOs helped organizations develop and enforce the right policies. Meanwhile, functional IT groups selected, deployed, and operated security products.
Take network security for example. A few years ago, there was a pretty common division of labor: Security professionals defined requirements and the networking team purchased and operated network security technologies like firewalls, proxy servers, and IDS/IPS.
That was then, this is now, and things are changing quickly. ESG research indicates that 47% of enterprise organizations (i.e., more than 1,000 employees) now have a dedicated network security group responsible for the whole enchilada (Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014). The most important aspect of this transition is that this group ultimately reports to the CISO and not the VP of network operations.
Beyond network security, many CISOs are establishing a new group of security intelligence/malware/threat management/forensic/SOC experts that ESG has dubbed the “cybersecurity cavalry.” The cybersecurity cavalry is made up of highly-skilled and well-armed troops that establishes security outposts to encounter adversaries out on the frontier. In other words, the cybersecurity cavalry has the authority, skills, and budgets to take all reasonable actions necessary to prevent, detect, and respond to attacks.
Given this responsibility, the cybersecurity cavalry is being given ownership of territory previously owned by other security and functional IT groups. To be more specific, this authority includes elements of network security (NGFW, anti-malware gateways, SSL decryption, etc.), endpoint security (advanced anti-malware tools, endpoint forensics), and all of security analytics (SIEM, network forensics, endpoint forensics, threat intelligence, etc.). In most cases, the cybersecurity cavalry isn’t concerned with legacy technologies already in place. On the contrary, it is building a new technology infrastructure from the ground up, specifically designed to block, uncover, and thwart cybersecurity attacks as quickly as possible.
Based upon numerous discussions I’ve had with CISOs, the cybersecurity cavalry isn’t a passing fad but rather a major organizational shift that is gaining momentum. Indeed, large organizations are rapidly adding headcount and increasing budgets for this group. I’ve also seen financial services, defense contractors, and retail organizations giving CISOs the cybersecurity equivalent of eminent domain, allowing them to commandeer IT segments, sound alarm bells, and establish active network policy enforcement actions to improve threat response, even if these actions may temporarily disrupt business operations. This type of authority was unheard of in the past.
The burgeoning cybersecurity cavalry model is impacting the market landscape in several ways:
- Network security is tilting away from the network toward security. Given the cybersecurity cavalry’s influence, network security technologies are gaining independence from the networking team and its switching/routing companions. This is a major shift from past behavior that favors security arms dealers like Blue Coat, Check Point, FireEye, Fortinet, IBM, McAfee, Palo Alto Networks, and Trend Micro. Cisco gets this shift, which is one reason why it purchased Sourcefire. In aggregate, this trend means that billions of dollars of network security sales are truly in play.
- The hiring wars will get even hotter. Elite cybersecurity cavalry troops are in high-demand but there aren’t nearly enough to go around. Expect hyper salary inflation over the next few years. Time for Washington and Silicon Valley to stop sitting on their collective hands and invest more dough in cybersecurity education programs.
- AV vendors are at a disadvantage. Many enterprises are giving the cybersecurity cavalry carte blanche oversight and purchasing authority to improve endpoint security. While this will lead to a new round of robust endpoint security investment, the cybersecurity cavalry commands an elitist and highly technical perspective on what’s needed and what works. This will drive them toward more cerebral endpoint security vendors like AccessData, Bit9, Bromium, Confer, Digital Guardian, and Raytheon rather than the traditional AV crowd.
- Ditto for SIEM vendors. Right or wrong, the cybersecurity cavalry equates SIEM with IDS/IPS alert, firewall log management, and compliance reporting. This will lead them to eschew traditional SIEM vendors in favor of big data security analytics firms like Click Security, LogRhythm, Narus, RSA, and Splunk.
Finally, many enterprises don’t have the skills, staff size, or budgets to establish a cybersecurity cavalry of their own. As a result, phones will be ringing off the hook at MSSPs like BT, CSC, Dell/SecureWorks, Unisys, Symantec, and Verizon.