The big security shift
How are enterprises managing their transitions to hybrid legacy, public, and private cloud environments? Those we interviewed based on these survey results unanimously said: not very well.
Martin Fisher, IT security manager at Northside Hospital and host of the Southern Fried Security Podcast, says IT operations teams are breaking into distinct groups that focus individually on internally hosted systems, while others focus on varied forms of cloud computing environments within their business. “Integration of these operations is difficult and I'm not sure, outside of the Unicorns, that anybody has it totally figured out, at least not in healthcare,” he adds.
Pescatore agrees: “Increased use of SaaS and IaaS is definitely causing breakage in security approaches. It is causing a shift in spend from security software and hardware to actually more skills on the security staff side,” he says, adding that it’s common for SANs to hear such challenges from large enterprises. The reason for this, Pescatore explains, is that “SaaS means you cannot use security agents or appliances except the big SaaS services, such as Outlook365, Google at Work, Salesforce, and so on. They have security features and APIs that can be used to extend security policies to the SaaS app -- but that takes a higher level of skill in the security staff. Similarly, in IaaS you can use software and virtual appliances,” he says.
Those higher-skilled, or nearly any-skilled actually, cybersecurity professionals are hard to come by — and continue to make enterprise IT security all the more challenging. Many enterprises are attempting to close their skills gap by turning to managed security services. According to the survey, 62 percent of respondents use security service providers to operate and enhance their IT security programs. The services they are outsourcing include authentication (64 percent), data loss prevention (61 percent), identity and access management (61 percent), real-time monitoring and analytics (55 percent), and threat intelligence (48 percent).
Malik added that enterprises have become more comfortable with outsourcing aspects of security, as well. “The irrational fear of cloud being insecure is being replaced by a more measured approach. Secondly, there's the skills gap issue. Most security teams in-house are so stretched, they don't have time to monitor and respond to all alerts — so shifting some of those tasks to a managed security services provider can help relieve some of the burden,” he said.
Fisher agrees on the skills shortage. According to Fisher, there are three primary trends underway driving the move to outsource: 1) extreme difficulty in obtaining and retaining qualified staff; 2) the infrastructures are complex and difficult to manage within the operating budgets of many organizations; 3) managed security services providers have matured to a point where there is more flexibility, for example hybrid security providers that manage the SIEM on your floor, than existed previously.
Sign up for CIO Asia eNewsletters.