The technology security market is growing at such a rate that it is almost impossible for anyone to keep up (indeed, speaking to a colleague recently they said that there were more than 50 new security startups every single week).
If you were one of the 15,500 people from over 70 countries who visited Infosec last year you’ll have experienced some of the explosion in technology options, with 315 vendors and service suppliers exhibiting (next year will be the 21st since inception in 1995).
Of course, the continued threat of cyber-attacks, data loss, intellectual property theft and service disruption has created a whole new security industry.
From the emergence of the humble firewall and anti-virus products in the late 1980’s through to todays myriad of technology solutions plugging holes throughout the enterprise (like sand filling a jar of pebbles)….Intrusion Detection Systems, URL Filtering, Identity Access Management, DDOS prevention, Anti-Malware Protection, PKI, Application White-listing, Data Loss Prevention, Threat Analytics, Isolation….etc….etc…
Whilst new emergent companies have often dominated as landscape has changed, the heritage technology vendors, such as Microsoft, IBM and Cisco have not stood still with the latter, whilst a little late to the party, increasing security product revenue in their last quarter to 14% and targeting 20% in the short term.
It could be described as something of a security arms race…and, probably one with no clear winner (or, maybe at some of the valuations, the next bubble…)
So against this backdrop there are some serious challenges for leadership, namely;
- How to navigate the technology landscape and identify the most appropriate solutions for their organisation
- How to integrate solutions into a seamless and manageable service (internally/externally), and;
- Where to target investments first to get the greatest return
These are common themes to all CxOs. When on one side your stakeholders/customers are demanding you to protect them from threats and on the other, vendors are piling in with the latest solution to your problem, it’s not a good place to be. Set that against reducing budgets in real terms and it’s even more uncomfortable.
Part of the issue is that the genesis of the security business has been so embedded in technology that it is only now that the board executives have started to take notice. As few as 10 years ago the security department was often a mysterious group of individuals that were locked away from customers, trying to crack their own company defences to stop what, in most cases, was more of a nuisance factor if you were “hacked”.
Fast forward that to today and we still don’t really talk about security in the same was as we do with other technologies i.e. in terms of business outcomes. Why not? Is it any different really to the enterprise technology services that we have elevated to be more business function aligned?
Yes, security needs to be embedded across the functions such as sales, distribution, finance, operations etc. but it also needs to be turned 180 degrees towards its customers and articulated in term of business outcomes that the board executives can relate to, such as impact of regulation, data protection penalties, customer retention, brand impact and the like (they probably worry a little less about polymorphic zero day malware…).
Why is this important? Well, the three challenges mentioned before have undesirable side effects within organisations. To the first point, we often see that companies move quickly and without a clear roadmap between the latest security defence products. We often talk in typical IT metaphors, such as “peeling back the layers of the onion” whereas in the security space the onion just keeps on growing!
Layering defences is of course sensible, but emptying the contents of the Gartner Top 10 vendors into the enterprise is somewhat less so.
And that speaks to points 2 and 3. The integration of solutions, when so technology driven and verbose, can leave many companies rich in product but poor in solution.
What is more important is to really assess the business outcomes, the critical assets, required maturity level and the steps to achieve the goal. Security technology forms a big part of this, but should be considered in the same way as others in the end to end service chain.
By taking a step back and laying out the desired business objectives, organisations can really improve their investment strategy rather than take their chances in the security lottery.