How Organisations are Grappling with the Security “Gap Of Grief”
- 11 January, 2017 15:47
One of the great challenges that security professionals within an organisation face is in articulating the value in investment into security. That’s not to say that security is considered unimportant within the executive team and board, because the typical business is well aware of the risks that poor IT security can present. Rather, the number of security solutions that an organisation deploys through its network makes for a giant jigsaw puzzle, and coupled with tight budgets, it is a difficult process for the IT team to ‘sell up’ each individual new piece to add to the overall puzzle.
RSA regional security evangelist, Michael Lee explains, “I was talking to one customer who had 84 different vendors in their security suite, which was adding a lot of unnecessary complexity and configurations into the organisation.” He further expounds that “There are now around 1,500 vendors supplying security products. Customers want defence in depth, which is indeed critical, but the layers of security being added should ‘talk’ together. Otherwise they are simply not working smarter or efficiently.”
The reliance on single-product security from a wide range of different vendors is instrumental in creating a gap between the information that a security professional generates from the security investment, and what the executives and boards derive from it. Security professionals are interested in understanding how a breach of the organisation’s network happened, and more importantly, how it might be prevented in the future. The boards, meanwhile, are interested in the business risk that this entails; what is the cost of the breach and how should that information be communicated to their customers?
The very different focuses has led to a ‘gap of grief’ situation where a security professional might be overwhelmed with the number of alerts coming in from each piece of security on the network, while the board desperately wants to know at a glance what the damage is. With 70 per cent of businesses admitting to being breached (according to the RSA Cybersecurity Poverty Index, 2016: https://www.rsa.com/en-us/resources/rsa-cybersecurity-poverty-index-2016) in the past year, it’s a common problem faced, and in a second survey, 80 per cent of businesses said that they were unhappy with how their security is working for them (RSA Threat Detection Effectiveness Survey, 2016: https://www.rsa.com/en-us/resources/threat-detection-effectiveness).
This dynamic has long led to discussions about whether it would be a better idea to train the security professionals to better understand the business implications of security breaches, or whether the board should be better trained in the technology to better understand it themselves. Neither solution is ideal, according to RSA’s Lee. Instead, one of the leading priorities for businesses should be to find a way of turning the investment into a business-driven strategy, and adopt a holistic approach to security that centralises the insights and makes them readily, and rapidly, available to all stakeholders in the organisation.
“Security needs have become increasingly complex at a rapid rate, and in that pursuit of defence in depth, organisations are often buying more and more gadgets without thinking about the greater strategy in doing so,” Lee says. “As a result, the technology isn’t talking to other pieces of security technology, and the entire infrastructure develops such significant inefficiencies that the entire network becomes a mess to manage. For a common example we see all the time; a company might have all their vulnerabilities and assets in a database, but that never talks to the two-factor authentication. It helps the overall security of the business in no way to keep these two things separate
“A security professional might be able to manage both of these things separately and understand what each piece of the puzzle is meant to be doing, but it is difficult for the CEO or directors to properly analyse the impact that these technologies are having.”
The security space has become a challenge for resellers as a result, as all levels of the business struggle to justify spending on technology. With such diversity in vendors, no reseller has been able to represent the entire gamut of security solutions to clients, and often has to do heavy customisation work in order to craft solutions that bring multiple vendors together. In addition to being labour-intensive, these solutions are difficult to integrate with other security systems the customer has in place, and therefore makes the sell difficult for the reseller.
Business-driven security would involve consolidating the security providers down, and this move conversely reflects some of the consolidation that is happening in the security space itself. IT vendors are, through acquisitions and organic growth, developing holistic security ’stacks’ as they are creating stacks in other technology fields, and the benefits for customer and reseller alike are significant, Lee argues.
“Resellers have a great opportunity to offer professional services to customers through this consolidation process, and in helping the technology executives build the business strategy to take to the board, and then helping to plan through the consolidation process,” Lee states.
A reseller is in a far better position to help the security professional ‘sell’ a solution to the board if the overall impact of that solution is immediately qualifiable in relation to the overall security strategy. To put it simply; being able to provide executives with a complete solution is a far more effective way to get them on board with a security solution than having to explain how each piece will fit together. The more efficient and effective security solution will also result in better security outcomes, which will also be easier to report back to the board each quarter.