Business transformation a catalyst for cybersecurity spending
7 October 2016 | 0
As enterprises accelerate their use of cloud computing, online services, and ready themselves for internet of things deployments, they are finding themselves strained to find the cybersecurity talent and security tools needed to secure these efforts. That is one of the most important points from the Global State of Information Security Survey (GSISS) 2017, a worldwide study conducted by PwC, CIO and CSO.
According to the GSISS survey, 59% of respondents say they are boosting their security spending as a result of their increased use of digital technologies, and retooling their business models to provide customers, employees, and partners evermore digital services and apps. These security efforts include increased investments in cloud computing environments, data monitoring, as well as managed security services. The survey was conducted online from April 4, 2016 to June 3, 2016.
The survey found the cybersecurity spending priorities for respondents for the next 12 months to be considerable: improved collaboration within the business (51%), secure changing business models (46%), and secure their IoT deployments (46%).
The broad business adoption of cloud computing outside of software development and IT continues to remain strong. While IT, not surprisingly, at 63% is the single largest business unit that runs functions in the cloud, others such as finance (32%), marketing and sales (34%), customer service (34%), and operations (35%) are catching up in how many business functions they run within cloud-based environments.
As these enterprise adoption trends toward cloud, mobile, and IoT accelerate, so does the impact they each have on security spending. “Security spending tends to be driven by threat changes in the short run, business technology changes take longer to impact spend, and the increased use of cloud is having the biggest impact,” says John Pescatore, director, emerging security trends at the SANS Institute.
Javvad Malik, security advocate at AlienVault and former security analyst at 451 Research, adds that part of the trend underway includes using cloud, mobile, APIs, and data to improve customer experience in intuitive ways. As a result, IT security operating models have had to change, or adjust to take into account this new reality. Perhaps the biggest change this has incurred in is abstracting security controls from the technology and more importantly away from the customer,” Malik says.
How is this being done? Malik says through increased investments in monitoring, behavioral analysis, and awareness tools. “These allow businesses to continually innovate without security being a bottleneck – and security can keep an eye on the operations,” he says. The survey found 63% of enterprises are running IT services in the cloud, 62% are using managed security services, and just over half say they are currently using security analytics.
Big security shift
How are enterprises managing their transitions to hybrid legacy, public, and private cloud environments? Those we interviewed based on these survey results unanimously said: not very well.
Martin Fisher, IT security manager at Northside Hospital and host of the Southern Fried Security Podcast, says IT operations teams are breaking into distinct groups that focus individually on internally hosted systems, while others focus on varied forms of cloud computing environments within their business. “Integration of these operations is difficult and I’m not sure, outside of the Unicorns, that anybody has it totally figured out, at least not in healthcare,” he adds.
Pescatore agrees: “Increased use of SaaS and IaaS is definitely causing breakage in security approaches. It is causing a shift in spend from security software and hardware to actually more skills on the security staff side,” he says, adding that it’s common for SANs to hear such challenges from large enterprises. The reason for this, Pescatore explains, is that “SaaS means you cannot use security agents or appliances except the big SaaS services, such as Outlook365, Google at Work, Salesforce, and so on. They have security features and APIs that can be used to extend security policies to the SaaS app — but that takes a higher level of skill in the security staff. Similarly, in IaaS you can use software and virtual appliances,” he says.
Those higher-skilled, or nearly any-skilled actually, cybersecurity professionals are hard to come by — and continue to make enterprise IT security all the more challenging. Many enterprises are attempting to close their skills gap by turning to managed security services. According to the survey, 62% of respondents use security service providers to operate and enhance their IT security programs. The services they are outsourcing include authentication (64%), data loss prevention (61%), identity and access management (61%), real-time monitoring and analytics (55%), and threat intelligence (48%).