Conventional wisdom dictates that an increase in cybersecurity threats requires ever-larger IT security teams. Gartner fellow and research vice president Tom Scholtz says it’s time to think differently.
“Digital business has changed the risk landscape permanently,” says Scholtz. “Even in the unlikely case that there are no resource constraints, scaling up a centralized cybersecurity function as more and more threats emerge isn’t necessarily the best way to protect organizations.”
Many routine security functions can be performed as well by other IT or business functions
Those considering a different approach must observe the principles of digital business security:
- Evolve security teams from being protectors of all infrastructure and data into facilitators of risk-based decisions throughout the organization.
- Fully integrate security practices into the fabric of the organization, rather than bolting them on and enforcing them through a centralized security function.
- Share accountability for protecting enterprise resources with business process, application and data owners — no longer is the security team solely responsible.
“These principles run contrary to the idea of building an ever-growing security team to cope with the ever-growing list of threats,” says Scholtz. “Many routine security functions can, in fact, be performed as well, if not better, by other IT or business functions.”
Identify security functions that can be devolved elsewhere
Assess your current security team’s effectiveness with a view to identifying functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT department. Determine which functions are working well, and therefore should not be disrupted, and which are performing suboptimally or perhaps not at all.
Next identify the root causes of security problems. Are current staff overloaded? Are there political or cultural barriers between business units? Are there scaling issues? Functions that are problematic for such reasons may be candidates for devolution.
If there is no dedicated security organization, which means that both IT and non-IT staff currently perform all security functions, the main problems are likely to be due to a lack of coordination. Such a situation indicates potential for establishing a lean governance function.
Find a new home for poorly performing security functions
Based on your assessments, identify alternative locations in the business or IT department for security functions that are underresourced or performing suboptimally. Alternatives should possess the capacity, resources, political clout and business incentives to support the relocated functions. Another possibility is to outsource them to a managed service provider.
Moving security decisions closer to the business units affected can also help drive more informed decision-making
Many traditional security practices for endpoints and networks could find a new home with professionals in the IT infrastructure and operations team. Application security functions could relocate to application development and DevOps teams.
“This approach can potentially result in the design of a ‘lean’ security organization where a dedicated security leader manages centralized coordination of key governance and operational activities,” says Scholtz.
Pros and cons of the lean approach
A lean approach to digital security can alleviate the skills shortage in the cybersecurity field. It can also help build a broad understanding of security matters throughout an organization. This is entirely appropriate, given that all employees should understand and be able to manage the security implications of their jobs.
Moving security decisions closer to the business units affected can also help drive more informed decision-making, based on a better understanding of the underlying processes and business impacts.
A key disadvantage, however, could be that fragmenting the security role and security responsibilities across different reporting lines may disrupt coordination, especially in geographically dispersed organizations. But Scholtz adds that “clear direction, strong governance and effective program management should be enough to keep this risk under control and help realize the benefits of a lean security organization.”