Information security teams face an unprecedented level of demand for their services right now. The rise of more iterative and constant technology development methods – such as Agile and DevOps – and a rising number of line managers and vendors involved in sourcing, creating, and using a vast and growing store of data makes it incredibly hard to balance the traditional but necessary “operational”-type activities and new, more high-impact activities like risk management and governance.
The strain on the time and resources of information security teams is understandable (as Yahoo can attest), and even though their companies are stumping up money, information security budget growth is slowing.
To make the most of 2017, security teams must learn to automate, delegate, devolve, or outsource governance and operations activities from their day-to-day work.
Three Ways to Cope
Automate routine tasks to boost productivity and bridge the cyber talent gap: With the shortage of cybersecurity employees expected to reach 1.5 million worldwide by 2019, help is not on the way.
Automating operations and governance activities offers the best chance to meet information security demands. Security operations — everything from firewall monitoring and spam filtering to malware analysis — are a prime target for automation. Further, by using tools such as APIs to provide developers with the building blocks of secure development, Information Security can make life much easier for Agile development teams, as they won’t then need to follow a conventional stage-gate process that so jars with the Agile methodology.
This will dramatically reduce the time it takes to accomplish routine tasks and allow a limited pool of security staff to graduate to more strategic activities.
Delegate and devolve operations to the rest of IT and the business: Although information security managers have understood for a while that their function’s role is no longer to reduce risk but to manage it in line with the company’s risk appetite (this page has more on the transition to “true risk management“), this isn’t understood by all.
Information security teams need to educate and engage business leaders about the necessity of everyone being responsible for the risk of information leaking into the wrong hands – intentionally or unintentionally. Information security teams should embrace a variety of roles to engage business leaders in ways that correspond to the company’s digital ambitions.
Security leaders need to be effective evangelists, consultants, and brokers, able to educate business partners on how the function can help them hit business goals, to provide project guidance, and to forge internal connections.
Outsource new kinds of security activities: While automating and devolving activities will give Information Security more time, in the long term security leaders must be prepared to broaden the portfolio of activities they outsource.
Today, security functions spend roughly 8% to 9% of their budgets on outsourcing; however, the majority goes toward staff augmentation, according to CEB data. Instead, security leaders can use the rapidly maturing market for managed security services for a wider range of activities, including advanced security incident and event management (SIEM), vulnerability management, and real-time compliance monitoring.
In tandem, security functions must develop more robust ways of evaluating security programs in the company, and in managing vendors to ensure providers are held accountable for providing high-quality services.