Security Scope Creep
Next week, CompTIA will release its new security study. It’s a great overview of the way that the corporate approach to security is beginning to change. As usual, though, there are a couple things that happen upon completion of a study. First, some pieces of the story get left out since they don’t fit in perfectly with the overall theme. After 40 pages, some things have to fall by the wayside. Second, new insights have a way of popping up in various conversations.
One of these new insights came up last week at the Channel Partners conference. I was sitting in on a panel discussion about security policy, and Eric Sandoval from Juniper described the way that security mindsets had to change. On one slide, he had an image illustrating the primary activity in traditional security: Protect. In order to keep attacks from getting through, companies worked on building a strong perimeter defense with firewalls and antivirus. Now, that strategy is inadequate. Eric’s next slide had five images showing a proper modern security mindset: Prepare, Protect, Detect, Respond and Recover. Businesses today have to assume that they will be breached and plan accordingly.
Our report dives into these new pieces to some extent, but the thing that stood out to me the most was the expanded scope of IT security. At first blush, there’s a five-fold increase in the level of activity involved in keeping a business safe. The true multiplier is probably a little lower, but it’s safe to suggest that there’s a big increase.
The direct result of that increase is that more skills are needed, and these skills are needed all across the organization. Our report includes attention on the broader workforce; with businesses acknowledging that human error is the primary factor in security breaches, some new form of training is required to mitigate the risk of employees becoming more aggressive with technology.
The area that our report does not cover in detail is the skill set of the IT team. There are a lot of great security experts working in the field today. I’ve spoken to several of them as they’ve helped us with our security certifications and our security member community. One recurring theme in our discussions is the challenge of properly positioning security efforts in this new environment. To take on the new elements, they need more resources.
Skills are a huge part of those resource needs. Like their organization, the security pros have a background in perimeter defense. They are keeping up with the new trends as much as they can, but some formal training support from the organization would go a long way. In addition, some new headcount is likely in the cards for many companies. As security becomes a discipline independent of IT efforts, businesses will need to move from a security guy to a security team.
This plays into another theme from the report: different forms of partnerships that will begin to develop. Between internal teams that get built and external firms that get used, there are many combinations that will lead to success. The common thread for every combination will be the right blend of skills. This blend includes new technical areas (like DLP and IAM), new process areas (like risk analysis and compliance), and new personnel areas (like workforce assessment and education). By staying up to date with skills, companies give themselves the best chance to thrive as cybersecurity evolves.