IT Focus Area: security
April 4, 2012
Securing the Enterprise: Is Your IT Organization under Siege?
Enterprise IT departments today are facing a never-ending, always-increasing global onslaught of security threats, at a time when budgets have either been frozen or slashed. From 2006 to 2011, there was a 12 percent drop in companies’ information security confidence level, according to PricewaterhouseCooper’s Global State of Information Security Survey.
This scenario is analogous to an army being told to guard a fortress against a superior force and oh, by the way, do it with one-third fewer troops than you had a few years ago. It’s no wonder IT departments feel as if they’re under siege.
The pressure to adapt is increasing
Adding to the challenge, today’s IT organizations are under increasing pressure to become more flexible and adaptable. As a result, this often means replacing established technologies with lower-cost systems such as those found in the cloud.
While those systems may be a good choice for front-line workers, they generally carry higher security and regulatory compliance concerns than traditional enterprise applications. And IT organizations need to do all of this while also leveraging a flexible and cost-effective approach to business continuity and disaster recovery.
That makes the complexity of today’s enterprise IT environment even more challenging than ever for your IT department to manage. In the past, physical barriers such as the corporate firewall were enough to keep marauding invaders at bay. In today’s virtualized world, it is more challenging to get between two systems that are communicating through the cloud, because many more doors, windows and other points of entry—not to mention the ether in between—need to be protected.
Your IT team is no doubt acutely aware of the risks. Years of responding to new business needs and challenges with evolving security, network, server and storage technologies have led to an ever more complex IT infrastructure that is often over-provisioned, underutilized and difficult to manage. Yet, just when IT organizations could use more resources to help them dig out from underneath it all, they have fewer.
What that means in practical terms is Fortune 1000 companies that still rely solely on internal IT resources for their security needs are finding the effort required to maintain security at an acceptable (not even optimum) level is lowering their effectiveness in other IT areas. Simply put, it is taking more time, creating more risk, and costing more to deliver IT projects that add value to the business.
Internal IT resources are too often seen as a cost center in today’s competitive environment, instead of a strategic asset that can help maintain and enhance a company’s competitive advantage and respond more quickly to the dynamic changes in today’s global business environment. Instead of focusing on the business value that technology can provide, IT departments are oftentimes struggling with just keeping the lights on, especially when it comes to security.
Adding managed security services to the front line
One way that is helping IT add more value is taking advantage of managed security services. These services take the burden off of internal IT departments deploying prevention, detection and web-based technologies. This helps them free up time to spend on using their knowledge of the business to add more value. Managed security services are one area that companies have been investing in, even though the past four years have seen them significantly reducing other IT investments.
Fortune 1000 companies that still rely solely on internal IT resources for their security needs are finding it difficult to keep up with security threats.
Why? According to the 2012 Global State of Information Security Survey, a persistent reluctance to fund enterprise IT security during the economic downturn has led to a degradation in core security capabilities, including identity management, business continuity, disaster recovery, employee Internet monitoring, and data protection. Enterprises are coming to the realization they are living on borrowed time, in terms of security. They are anxious to fix the situation before a big disaster or security breach occurs.
Adding to the urgency, mobile devices and social media—two afterthoughts to enterprise IT just a couple of years ago—now present significant threats from outside the firewall. According to a recent Check Point survey, nearly half of all enterprises are victims of social engineering, having experienced 25 or more attacks in the last couple of years. That costs businesses anywhere from $25,000 to $100,000 per security incident. And McAfee reports that attacks on smartphones and other mobile devices rose by 46 percent in 2010.
In addition, the Global State of Information Security Survey found that few organizations believe they are equipped to deal with the advanced persistent threat (APT) attacks that have increasingly targeted global enterprise IT organizations.
Now, throw in the challenges associated with managing third-party security risk issues related to partners, vendors and suppliers tapping into the enterprise IT infrastructure, and you can see that the risks IT organizations face on all fronts are overwhelming. Even for those IT organizations that are well-funded. Most IT organizations, however, don’t view themselves as being well-funded.
The speed with which security threats change in today’s globally connected and converging business world is the biggest barrier to an enterprise IT organization being able to mitigate risk so they can focus on their core business. Fortune 1000 companies are finding that managed security service providers are a smart option to help their IT departments ensure they have the critical IT services they need to meet these security challenges.
Where managed security services have an impact
There are three main areas where managed security services can make a big difference.
A managed security service provider can help a company stay up to speed with IT security technology. But speed goes beyond keeping up with the changing threats outside the firewall.
Inside the firewall, it is also critical to keep staff trained, keep the latest versions installed and supported, and have best practices in place that can help detect and respond to security threats in a timely manner.
For managed security services, rather than security being a part of their overall job, it’s their entire focus. They have the time, resources and—most importantly—the incentive to remain current.
When companies consider the cost of IT security, they often overlook the costs associated with keeping training and certifications up to date, the need to upgrade infrastructure, and even the costs of a ticketing or reporting system.
A managed security services provider helps alleviate some budget pressures associated with managing day-to-day operational security issues so the company can focus its internal resources on driving the business. This can be done by operationalizing the cost, or making the cost predictable within the operating budget, instead of having to adjust capital budget resources on the fly to address unforeseen security challenges.
Today, managing risk is a company-wide issue, with more responsibility placed on the executive suite and the data center. Every organization knows that it has to mitigate risk to ensure the IT environment isn’t compromised and customer data is protected. High-profile breaches of security have led governments to take a larger role in protecting data, ensuring privacy and requiring visibility through compliance reporting, all of which rely on IT.
A managed security services provider doesn’t replace the internal IT team. Instead, it augments the existing team by providing the expertise, threat modeling and other compliance and protection services needed to mitigate risk in line with regulatory obligations and business goals.
A Secure Enterprise
Every day brings new risks to enterprise information, systems and, ultimately, their business, making it more and more challenging to identify vulnerabilities, minimize exposure, and prepare to respond quickly to any contingency.
It is much harder to bounce back from business interruptions or unexpected losses caused by IT security gaps. The smart businesses today know that the cost of avoiding such threats is typically much less than the cost of recovering from them.
An earlier version of this article appeared in InSecure Magazine.