Addressing The Runaway Demand For Information Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership
Commentary
1/12/2017
09:30 AM
By Jeremy Bergsman, IT Practice Leader at CEB
By Jeremy Bergsman, IT Practice Leader at CEB
Commentary
50%
50%

Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered, and make security part of everyone's job.

As organizations continue to pursue digitization as a core driver of growth, they are also seeing a rise in demand for information security. To enable organizations to grow through digital transformations, IT leaders need to fundamentally change information security’s portfolio of services and the way in which they are delivered.

Credit: Shutterstock/Wright Studio
Credit: Shutterstock/Wright Studio

But before we discuss how to make those changes, let’s first look at what is driving demand. There are three key factors.

First, proprietary information is shared with a growing number of organizations, which, in turn, disperse this information to other parties. Detection and management of these so-called “ecosystem risks” has not yet been automated, hampering information security’s ability to scale its risk management efforts. Increasing regulatory scrutiny based on identified security vulnerabilities also adds pressure for organizations to step up their vulnerability detection and crisis response programs.

Second, speed-to-market demands are pushing IT functions to adopt continuous solutions delivery. The increased use of Agile and DevOps is breaking the established stage-gate approach that information security has historically used to govern projects.

Third, and perhaps most importantly, the increasing frequency and implications of cybersecurity attacks are transforming information security from a back-office function to a digitization strategy consultant. CEB surveyed 50 chief information security officers (CISOs) across the U.S. in 2016, and they reported that they now spend close to 20 percent of their time preparing for and presenting to their board.

[Read how CIOs and IT managers say their priorities, and security is a top priority.]

To reflect these changes, the percentage of the IT budget dedicated to information security and the total count of full-time security staff has increased, according to CEB data. In 2012, the number of security employees as a share of all IT employees was 2.7 percent, versus 3.6 percent in 2016. But due to talent shortages and the increased logistical complexity of managing more people, continuing to hire staff to meet increasing demand is unsustainable.

To address the runaway demand for information security, IT leaders must fundamentally rethink their approach to information risk management to deliver security beyond scale. But how?

Consider three mindset shifts.

1. Information Security Is Now Everybody’s Job:  Due to the increasing emphasis placed on security, responsibility for good security needs to be part of every IT professional’s job. Information security should offer educational courses to train other IT professionals on sound security practices and establish incentives for solutions delivery teams to follow during project delivery.  

2. Information Security Cannot Be Involved in Every Project: With iterative development methodologies on the rise, information security staff need to accept that they can’t touch every project. To ensure that projects still have the security they need, the information security organization needs to hire or train staff with application development and design skills to build APIs, containers, and microservices to automate security governance.

3. Allow Business Units to Self-Manage Risk Decisions: The business line also plays a role in security. To incent the line to make sound risk decisions independently, IT leaders should raise awareness of the company’s risk appetite and communicate how poor risk decisions within one business unit can adversely affect other parts of the organization. By allowing business units to self-manage risk decisions, IT can also alleviate some of the tension that exists between information security and business leaders and avoid being perceived as a roadblock.

CISOs, their teams, and the IT department as a whole are critical to helping companies grow and supporting digitization efforts. But as existing security models can’t support the demand for security services, they must instead figure out how to facilitate changes to address the runaway demand for security. By doing so, CISOs and other IT leaders will be best poised to enable organizations’ growth through digitization.

Jeremy Bergsman is an IT practice leader at CEB, a best practice insight and technology company. Since joining CEB in 2006, Jeremy has overseen dozens of quantitative and qualitative research studies on topics including measuring and changing end-user behavior, risk assessment, roadmapping and planning, business capability modeling, and aligning IT functions with business needs. Educated as a neuroscientist, Jeremy holds a doctorate from Stanford University School of Medicine and was a postdoctoral fellow at Yale School of Medicine.

Daria Kirilenko, research consultant at CEB, also contributed to this article.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThanN666
50%
50%
ThanN666,
User Rank: Apprentice
1/16/2017 | 12:55:37 PM
IT Staffing
Hiring big data experts to manage and enhance analytics infrastructure will be a significant challenge in 2017. The market value for IT professionals and analytics experts has risen by nearly 25 percent in 2016, indicating ongoing competition for data scientists and other IT professionals with experience in the Information Security industry.

Than Nguyen

IT Staffing Houston

 
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll