In 2006, 84 percent of companies participating in PricewaterhouseCooper’s Global State of Information Security Survey said they were confident in the effectiveness of their organization’s information security activities. In 2011’s survey, that number had dropped to 72 percent. That’s quite a drop in a short period of time. But it makes sense when you think about what’s happened in the last five years: enterprise IT departments today are facing a never-ending, always-increasing global onslaught of threats at a time their budgets have either been frozen or slashed.
It’s like an army being told to guard a fortress against a superior force and oh, by the way, do it with one-third fewer troops than you had a few years ago. It’s no wonder IT departments feel as if they’re under siege.
Adding to the challenge, today’s IT departments are under increasing pressure to become more flexible and adaptable, which often means replacing established technologies with lower-cost systems such as those found in the cloud.
While those systems may be a good choice for front-line workers, they generally carry higher security and regulatory compliance concerns than traditional enterprise applications. And IT departments need to do all of this while also leveraging a flexible and cost-effective approach to business continuity and disaster recovery.
That makes the complexity of today’s enterprise IT environment more challenging than ever for your IT department to master. In the past, physical barriers such as the corporate firewall were enough to keep marauding invaders at bay. In today’s virtualized world, it’s more challenging to get between two systems that are communicating through the cloud, because many more doors, windows and other points of entry – not to mention the ether in between – need to be guarded.
Your IT department is no doubt acutely aware of the risks. Years of responding to new business needs and challenges with evolving security, network, server and storage technologies have led to an ever more complex infrastructure that is often over-provisioned, underutilized and difficult to manage. Yet just when IT organizations could use more resources to help them dig out from underneath it all, they have fewer.
What that means in practical terms is Fortune 1000 companies that still rely solely on internal IT resources for their security needs are finding that the effort required to maintain security at acceptable (not even optimum) levels is affecting their effectiveness in other areas. Simply put, it is taking more time, creating more risk, and costing more to deliver IT projects that add value and enhance the business.
With all of this going on, internal IT resources too often come to be seen as a cost center, instead of a strategic asset that can help maintain and enhance competitive advantage and respond more quickly to the dynamic changes in today’s global business environment. Instead of focusing on the business value that technology can provide, IT departments are struggling just to keep the lights on – especially when it comes to security.
One way to get beyond this siege mentality and get IT refocused on adding value is by using managed security services. These services can help by taking the burden of deploying prevention, detection and web-based technologies off of internal IT departments so they can use their knowledge of the business to add value. Managed security services is one area we are seeing companies willing to make an investment in, even though the past four years have seen a significant reduction in other IT investments.
Fortune 1000 companies that still rely solely on internal IT resources for their security needs are finding that the effort required to maintain security at acceptable (not even optimum) levels is affecting their effectiveness in other areas.
Why is this? According to the 2012 Global State of Information Security Survey, a persistent reluctance to fund enterprise IT security during the economic downturn has led to a degradation in core security capabilities, including identity management, business continuity, disaster recovery, employee Internet monitoring, and data protection. Enterprises are coming to the realization they are living on borrowed time in terms of security, and are anxious to rectify the situation before a disaster occurs.
Adding to the urgency, mobile devices and social media – two afterthoughts to enterprise IT just a couple of years ago – now present significant threats from outside the firewall. Today, according to a Check Point survey, nearly half of all enterprises are victims of social engineering, having experienced 25 or more attacks in the past two years. That costs businesses anywhere from $25,000 to $100,000 per security incident. And McAfee reports that attacks on smartphones and other mobile devices rose by 46 percent in 2010.
In addition, the Global State of Information Security Survey found that few organizations believe they are equipped to deal with the Advanced Persistent Threat (APT) attacks that have increasingly targeted global enterprise IT organizations over the past two years.
Now throw in the challenges associated with managing third-party security risk issues related to partners, vendors and suppliers tapping into the enterprise IT infrastructure, and you can see that the risks IT departments face on all fronts are overwhelming for even the best-funded IT organization. And these days, most IT organizations don’t view themselves as being well-funded.
The speed with which the security threats change in today’s globally connected and converging business world is the biggest barrier to an enterprise IT organization being able to mitigate risk so they can focus on their core business. Fortune 1000 companies are finding that managed security service providers are a smart option to help their IT departments ensure they have the critical IT services they need to meet these security challenges. There are three key areas in which a managed security service can make a big difference – speed, cost and risk.
Speed – A managed security service provider can help a company stay up to speed with IT security technology. But speed goes beyond keeping up with the changing threats outside the firewall.
Inside the firewall, it is also critical to keep staff trained, keep the latest versions installed and supported, and have best practices in place that can help detect and respond to security threats in a timely manner.
For managed security services, rather than security being a part of their overall job, it’s their entire focus. They have the time, resources and – most important – the incentive to remain current.
Cost – When companies consider the cost of IT security, they often overlook the costs associated with keeping training and certifications up-to-date, the need to upgrade infrastructure, and even the costs of a ticketing or reporting system.
A managed security services provider helps alleviate some of these budget pressures on managing the day-to-day operational security issues so the company can focus its internal resources on driving the business. This can be done by “operationalizing” the cost, or making it predictable within the operating budget, instead of having to adjust capital budget resources on the fly to address unforeseen security challenges.
Risk – Managing risk is an enterprise-wide issue, with more responsibility faced by the executive suite and data center than ever before. Every organization knows that it has to mitigate risk to ensure the IT environment isn’t compromised and competitive and customer data are protected. High-profile breaches of security have led governments to take a larger role in protecting data, ensuring privacy and requiring visibility through compliance reporting, all of which rely on IT.
A managed security services provider doesn’t replace the internal IT team. Instead, it augments the existing team by providing the expertise, threat modeling and other compliance and protection services needed to mitigate risk in line with regulatory obligations and business goals.
In these uncertain economic times, remaining secure by proactively managing security is more important than ever. Every day brings new risks to enterprise information, systems and ultimately their business, making it more and more challenging to identify vulnerabilities, minimize exposure, and prepare to respond quickly to any contingency.
It is much harder to bounce back from business interruptions or unexpected losses caused by IT security gaps. The smart businesses today know that the cost of avoiding such threats is typically much less than the cost of recovering from them.
Siobhan Byron is the President of Forsythe Technology Canada, Dragana Vranic is Director of Managed Services at Forsythe Technology Canada (www.forsythe.com).
