Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered, and make security part of everyone's job.

As organizations continue to pursue digitization as a core driver of growth, they are also seeing a rise in demand for information security. To enable organizations to grow through digital transformations, IT leaders need to fundamentally change information security’s portfolio of services and the way in which they are delivered.

But before we discuss how to make those changes, let’s first look at what is driving demand. There are three key factors.

First, proprietary information is shared with a growing number of organizations, which, in turn, disperse this information to other parties. Detection and management of these so-called “ecosystem risks” has not yet been automated, hampering information security’s ability to scale its risk management efforts. Increasing regulatory scrutiny based on identified security vulnerabilities also adds pressure for organizations to step up their vulnerability detection and crisis response programs.

Second, speed-to-market demands are pushing IT functions to adopt continuous solutions delivery. The increased use of Agile and DevOps is breaking the established stage-gate approach that information security has historically used to govern projects.

Third, and perhaps most importantly, the increasing frequency and implications of cybersecurity attacks are transforming information security from a back-office function to a digitization strategy consultant. CEB surveyed 50 chief information security officers (CISOs) across the U.S. in 2016, and they reported that they now spend close to 20 percent of their time preparing for and presenting to their board.

[Read how CIOs and IT managers say their priorities, and security is a top priority.]

To reflect these changes, the percentage of the IT budget dedicated to information security and the total count of full-time security staff has increased, according to CEB data. In 2012, the number of security employees as a share of all IT employees was 2.7 percent, versus 3.6 percent in 2016. But due to talent shortages and the increased logistical complexity of managing more people, continuing to hire staff to meet increasing demand is unsustainable.

To address the runaway demand for information security, IT leaders must fundamentally rethink their approach to information risk management to deliver security beyond scale. But how?

Consider three mindset shifts.

1. Information Security Is Now Everybody’s Job:  Due to the increasing emphasis placed on security, responsibility for good security needs to be part of every IT professional’s job. Information security should offer educational courses to train other IT professionals on sound security practices and establish incentives for solutions delivery teams to follow during project delivery.  

2. Information Security Cannot Be Involved in Every Project: With iterative development methodologies on the rise, information security staff need to accept that they can’t touch every project. To ensure that projects still have the security they need, the information security organization needs to hire or train staff with application development and design skills to build APIs, containers, and microservices to automate security governance.

3. Allow Business Units to Self-Manage Risk Decisions: The business line also plays a role in security. To incent the line to make sound risk decisions independently, IT leaders should raise awareness of the company’s risk appetite and communicate how poor risk decisions within one business unit can adversely affect other parts of the organization. By allowing business units to self-manage risk decisions, IT can also alleviate some of the tension that exists between information security and business leaders and avoid being perceived as a roadblock.

CISOs, their teams, and the IT department as a whole are critical to helping companies grow and supporting digitization efforts. But as existing security models can’t support the demand for security services, they must instead figure out how to facilitate changes to address the runaway demand for security. By doing so, CISOs and other IT leaders will be best poised to enable organizations’ growth through digitization.

Jeremy Bergsman is an IT practice leader at CEB, a best practice insight and technology company. Since joining CEB in 2006, Jeremy has overseen dozens of quantitative and qualitative research studies on topics including measuring and changing end-user behavior, risk assessment, roadmapping and planning, business capability modeling, and aligning IT functions with business needs. Educated as a neuroscientist, Jeremy holds a doctorate from Stanford University School of Medicine and was a postdoctoral fellow at Yale School of Medicine.

Daria Kirilenko, research consultant at CEB, also contributed to this article.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing