In many ways, 2013 was a breakthrough year for IT security. It achieved the degree of awareness, some may say notoriety, that it has been missing for decades. Security is now firmly at the top of the board agenda, due mainly to the Snowden revelations and incoming regulations from the EU.
Importantly, the growing number of breaches seems to show no sign in declining and the consequences for firms (and executive management) are increasing. Mandatory reporting of breaches and a fine of two per cent of global revenue (as proposed in the draft EU General Data Protection Regulation (GDPR) should be sufficient to gain the attention of the most gung-ho CEO.
Enterprises today are faced with three key security challenges. The first is that business executives are demanding implementation of new social media and cloud technologies, as part of their digital transformation programs.
Delivering this capability is complex, but keeping the enterprise secure compounds the difficulty. An increase in the number and variety of devices connected to the internet multiplies the opportunity of security breaches by orders of magnitude. Most security infrastructures are unprepared for the escalation in event numbers and types, especially those created by mobile and M2M transactions.
The second security challenge is that the threat landscape itself is expanding as new threat vectors and actors are created. Increased complexity, number and sophistication of incoming threats are putting security provision under extreme stress.
The majority of security regimes involve a plethora of individual point solutions that solve specific threat types (viruses, DDOS, identity management etc). But the number of vulnerabilities is ever increasing and the threat types are also diversifying. This means that security provision is fragmented, with often large holes between product coverage. This piecemeal infrastructure approach is inefficient, risky and a nightmare to manage.
Achieving and retaining compliance with an increasing number of rules and regulations represents the third challenge to the CISO. The network and information security (NIS) directive and the general data protection regulations (GDPR) combine to place a torrent of obligations on all but the smallest of organisations.
Mandatory breach reporting threatens significant reputational damage and hefty fines incur financial damage. While the fine detail of these changes are yet to be worked out, there is broad consensus that the key principles will happen, probably within two years.
The policy changes and technology to support them will take at least that long to implement. We need to start now. These three challenges are hard enough for CISOs to cope with, but there’s an additional factor to consider, the global shortage in cyber security skills.
This skills shortage is constraining enterprises’ ability to make the business secure and is driving up the cost of security. Despite the professional associations that provide security accreditation, there is still a major shortfall of resource with the right blend of skills and experience to cope with the burgeoning cyber security market demand.
The National Audit Office and the Select Committee on Science and Technology have reported on the cyber security skills shortage, saying it could last for up to 20 years. The Public Account Committee’s own forecasts show an accumulating shortfall of 1,500 senior security architects each year. Meanwhile, cyber security salaries are rising at twice the industry rates.
These structural challenges together pose the question: Is cyber security too hard for CISOs?
I think it may be, and managed security services (MSS) may be a short-term fix to the skills shortage problem. Certainly, two years ago CISOs were reluctant to outsource security for fear of losing control of business-critical operations. Now they seem to be willing to adopt MSS, for reasons of cost, skills and expediency.
There is a clear increase in security services adoption, which is growing at twice the rate of security technology growth. Traditionally, services have been limited to isolated MSS, typically patch management and threat monitoring. In 2014 there is a concerted increase in services adoption, including full service outsourcing to specialist security services providers.
There is some security operations centre (SOC) outsourcing, and this is expected to increase in 2014 and beyond. Importantly, MSS goes beyond security advisory services, which are already widely used. The strongest growth is in designing, building and (importantly) running security operations. In many ways, outsourcing of cyber security just shifts the problem to an external supplier.
But there are some good economic reasons for doing so: much of the staff-based security monitoring and event analysis is, frankly, dull, and events happen to most firms relatively infrequently. And not every event detected requires deep analysis and intervention. Keeping this kind of function in-house is expensive and inefficient.
Outsourcing to an external organisation provides both the required expertise on hand and the scale to make it economically viable to the service provider, and makes it cost-effective and efficient for enterprises. If outsourcing of cyber security is a short term fix what does the longer term hold?
Cloud is one answer, we’ve reached a tipping point where cloud-based security is as good as, if not better than, on-premises security, and cheaper too. Reservations regarding data residency can be addressed through UK-based data centres and cloud services are available certified to IL3 and above.
Security in the cloud comes in a variety of shapes and sizes. It may be built into software-as-a-service offerings, such as Box, which makes a point of extolling its security credentials. AWS now sells virtual desktop instances from the cloud with embedded security, such as anti-virus. Authentication, single sign-on, device profiling, encryption, logging and malware detection/prevention are all available via the cloud.
One of the greatest inhibitors to manageability and efficiency of security solutions, as noted earlier, is the plethora of individual point solutions to cope with specific threats. Just a brief look at the leading security vendors’ portfolios shows this to be true: they all have extensive but fragmented portfolios. From a CISO point of view, managing this complex array of products is expensive and overly-complicated.
What is required, and what is emerging now, are integrated and holistic cyber security solutions. Several vendors have announced visions for a simpler and more integrated suite of products. All vendors must follow this strategy, or be consigned to being point solution providers. Those specialist product vendors that have limited portfolios also have limited coverage of the wider threat landscape, and are most probably acquisition targets.
Currently, the announced visions of security vendors are just that, visions. It will take time for these aspirations to come to market and be adopted. Until then, CISOs need all the help they can get.