Addressing The Runaway Demand For Information Security - InformationWeek
IT Leadership
09:30 AM
By Jeremy Bergsman, IT Practice Leader at CEB
By Jeremy Bergsman, IT Practice Leader at CEB

Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered, and make security part of everyone's job.

As organizations continue to pursue digitization as a core driver of growth, they are also seeing a rise in demand for information security. To enable organizations to grow through digital transformations, IT leaders need to fundamentally change information security’s portfolio of services and the way in which they are delivered.

Credit: Shutterstock/Wright Studio
Credit: Shutterstock/Wright Studio

But before we discuss how to make those changes, let’s first look at what is driving demand. There are three key factors.

First, proprietary information is shared with a growing number of organizations, which, in turn, disperse this information to other parties. Detection and management of these so-called “ecosystem risks” has not yet been automated, hampering information security’s ability to scale its risk management efforts. Increasing regulatory scrutiny based on identified security vulnerabilities also adds pressure for organizations to step up their vulnerability detection and crisis response programs.

Second, speed-to-market demands are pushing IT functions to adopt continuous solutions delivery. The increased use of Agile and DevOps is breaking the established stage-gate approach that information security has historically used to govern projects.

Third, and perhaps most importantly, the increasing frequency and implications of cybersecurity attacks are transforming information security from a back-office function to a digitization strategy consultant. CEB surveyed 50 chief information security officers (CISOs) across the U.S. in 2016, and they reported that they now spend close to 20 percent of their time preparing for and presenting to their board.

[Read how CIOs and IT managers say their priorities, and security is a top priority.]

To reflect these changes, the percentage of the IT budget dedicated to information security and the total count of full-time security staff has increased, according to CEB data. In 2012, the number of security employees as a share of all IT employees was 2.7 percent, versus 3.6 percent in 2016. But due to talent shortages and the increased logistical complexity of managing more people, continuing to hire staff to meet increasing demand is unsustainable.

To address the runaway demand for information security, IT leaders must fundamentally rethink their approach to information risk management to deliver security beyond scale. But how?

Consider three mindset shifts.

1. Information Security Is Now Everybody’s Job:  Due to the increasing emphasis placed on security, responsibility for good security needs to be part of every IT professional’s job. Information security should offer educational courses to train other IT professionals on sound security practices and establish incentives for solutions delivery teams to follow during project delivery.  

2. Information Security Cannot Be Involved in Every Project: With iterative development methodologies on the rise, information security staff need to accept that they can’t touch every project. To ensure that projects still have the security they need, the information security organization needs to hire or train staff with application development and design skills to build APIs, containers, and microservices to automate security governance.

3. Allow Business Units to Self-Manage Risk Decisions: The business line also plays a role in security. To incent the line to make sound risk decisions independently, IT leaders should raise awareness of the company’s risk appetite and communicate how poor risk decisions within one business unit can adversely affect other parts of the organization. By allowing business units to self-manage risk decisions, IT can also alleviate some of the tension that exists between information security and business leaders and avoid being perceived as a roadblock.

CISOs, their teams, and the IT department as a whole are critical to helping companies grow and supporting digitization efforts. But as existing security models can’t support the demand for security services, they must instead figure out how to facilitate changes to address the runaway demand for security. By doing so, CISOs and other IT leaders will be best poised to enable organizations’ growth through digitization.

Jeremy Bergsman is an IT practice leader at CEB, a best practice insight and technology company. Since joining CEB in 2006, Jeremy has overseen dozens of quantitative and qualitative research studies on topics including measuring and changing end-user behavior, risk assessment, roadmapping and planning, business capability modeling, and aligning IT functions with business needs. Educated as a neuroscientist, Jeremy holds a doctorate from Stanford University School of Medicine and was a postdoctoral fellow at Yale School of Medicine.

Daria Kirilenko, research consultant at CEB, also contributed to this article.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/16/2017 | 12:55:37 PM
IT Staffing
Hiring big data experts to manage and enhance analytics infrastructure will be a significant challenge in 2017. The market value for IT professionals and analytics experts has risen by nearly 25 percent in 2016, indicating ongoing competition for data scientists and other IT professionals with experience in the Information Security industry.

Than Nguyen

IT Staffing Houston

2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
How to Retain Your Best IT Workers
John Edwards, Technology Journalist & Author,  9/26/2018
10 Highest-Paying IT Job Skills
Cynthia Harvey, Contributor, NetworkComputing,  9/12/2018
Register for InformationWeek Newsletters
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll