Security loves to tout the “blinky lights” or the newest technology. Don’t get me wrong, advancements in firewalls, endpoint detection and response (EDR), cloud access security brokers (CASBs), and others have revolutionized protection in their respective corners of the environment. But a more holistic approach is needed. I talk a lot about services helping the organization manage and monitor its blinky lights with managed security services (MSS), and others in the industry discuss staff augmentation as a key component of services because of the skills shortage. (Note, three-quarters of cyber professionals state they have been impacted by the skills shortage.) These are necessary pieces of services. But the biggest reason services matter goes beyond these two: To mature, security must grow beyond the tactical management of security products and become more strategic thinking.
As with the maturation from adolescence to adulthood, security demands we become more thoughtful. But like the teenage brain, security can’t develop its prefrontal cortex faster given the constant subcortex “fight or flight” demands security pros have on them (for example, the ever-attacking adversary, to name just the most obvious). In human development, the adolescent brain moves organically (and only in due time) from risk taking without consideration of consequences to more mature and strategic planning in adulthood. Similarly, as security begins to move into adulthood, we are starting to hear more about risk alignment between security and the business. The board is increasingly engaged in security discussions, and the CISO often reports to directors quarterly. In fact, according to a recent ESG study, 40% of respondents state they have increased the amount of time spent on cybersecurity by executive managers and/or the board of directors.
Security teams want the business to be more involved as well. Forty-two percent of respondents in this same study state that adding cybersecurity goals as metrics to IT and business managers would provide significant benefit in the future.
Cultural shifts are difficult and require business acumen, not just technical know-how. Historically, security gurus have come from more of the technical side of the street, but that is changing. CISOs are increasingly required to understand business risk, to report on return on investment (ROI) for their spending, and to speak the lingo of the C-suite. But a CISO will spend far less time in their role before leaving due to the constant stress and urgency of the job according to a study by Nominet.
This is where services can have a significant impact. The big 5 (KPMG, Ernst & Young, PwC, Deloitte, and Accenture), systems integrators (SIs, as in IBM), managed security service providers (MSSPs, like Secureworks), and security vendors (such as Symantec) provide a broad spectrum of risk management services to help the CISO and security team align with the business. But they also go one step further: They can help the business learn to appreciate and integrate with the security team and facilitate the dialogue between the two.
Security is moving from adolescence to adulthood and becoming more strategic in its thinking. But just like a teenager needs assistance from mentors, counselors, parents, and teachers, security can benefit from strategic services advisory. The apotheosis in security maturation will be evident when security is fully integrated into and across the entire business.