If enterprise security were an automobile it would be a Ford Taurus circa 1995. Good car way back when and still running but burning oil, barely passing inspection, and held together by bondo today.
Like my Ford Taurus example, enterprise security continues to hang on but it certainly isn’t a model of technical excellence or operational efficiency. To be more specific, current enterprise security is based upon disjointed organizations, manual processes, and an army of disconnected point tools. Functional but no match for IT complexity or the volume and sophistication of cybersecurity threats.
I firmly believe we are at the beginning of a tipping point. Enterprises need a vast improvement in enterprise security analytics, automation, efficacy, integration, and intelligence soon. I’ve thought and talked about this transition quite a bit, but I was caught off guard in a recent meeting by the following inquiry from a customer: “I agree we are in the midst of an enterprise security transition, but what type of event will actually push this change over the cliff?”
It took me a few seconds to respond to this question. I thought about a major security breach that disrupted critical infrastructure for days, weeks, or even months. I pondered the economic fallout from this type of event and the follow on finger-pointing and beehive of misguided activity in Washington. This could lead to reactive legislation that forced enterprise organizations into major security projects and massive changes. On and on….
Yup, all this may happen – and if it does it will indeed drive major modifications. That said, I now think something much less exciting is already happening. In lieu of some catastrophic cyber event, the current enterprise security model is experiencing “death by a thousand cuts.” The cuts are simply getting more abundant and deeper.
Allow me to bring in some ESG research to elaborate on my thesis here. In a recent survey, ESG asked security professionals to comment on changes in a number of security activities over the past few years. The data revealed that:
- 42% of security professionals believe that “keeping up with the latest threats and vulnerabilities” is “much more difficult” or “somewhat more difficult” than it was two years ago.
- 39% of security professionals believe that “keeping up with internal security skills” is “much more difficult” or “somewhat more difficult” than it was two years ago.
- 38% of security professionals believe that “overall security monitoring” is “much more difficult” or “somewhat more difficult” than it was two years ago.
- 35% of security professionals believe that “recruiting/hiring new security professionals” is “much more difficult” or “somewhat more difficult” than it was two years ago.
- 33% of security professionals believe that “managing disparate security point tools” is “much more difficult” or “somewhat more difficult” than it was two years ago.
We in the security community tend to look at the world through a series of segments – network security, endpoint security, analytics, identity management, risk management, etc. Okay but the CISO sits at the top of the organization and has to deal with the whole enchilada and this is a pretty ugly situation that needs to be rectified.
So what can CISOs do, because they have to do something soon? Many simply throw up their hands and turn to security services. This trend will continue and increase. Enterprises could hire an army of CISSPs but cybersecurity experts are in short supply and few companies can throw around this kind of money.
This leaves only one other alternative: Work smarter, not harder. In other words, find ways to make the security infrastructure more effective and personnel more efficient. When CISOs come to this epiphany they will realize that they need a new enterprise-class security technology architecture to make this happen.
This is where we are headed – sooner than most people think. More soon.