By Tom Scholtz, Gartner Inc.
Increasing cyber security threats mean most security and risk management leaders are growing their IT security teams. Hiring qualified and seasoned cybersecurity professionals has become increasingly difficult. Now is the perfect time to think differently and consider a “lean” approach to staffing, which can help alleviate this employment challenge.
Digital business has changed the risk landscape permanently. Even in the unlikely case that there are no resource constraints, scaling up a centralized cyber security function as more and more threats emerge isn’t necessarily the best way to protect organizations.
Those considering a different approach must observe the principles of digital business security:
- Evolve security teams from being protectors of all infrastructure and data into facilitators of risk-based decisions throughout the organization.
- Fully integrate security practices into the fabric of the organization, rather than bolting them on and enforcing them through a centralized security function.
- Share accountability for protecting enterprise resources with business process, application and data owners — no longer is the security team solely responsible.
These principles run contrary to the idea of building an ever-growing security team to cope with the ever-growing list of threats. Realistically, many routine security functions can be performed as well, if not better, by other IT or business functions.
Identify security functions that can be devolved elsewhere
Assess your current security team’s effectiveness with a view to identifying functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT department. Determine which functions are working well, and therefore should not be disrupted, and which are performing in a suboptimal capacity or perhaps not at all.
The next step is to identify the root causes of security problems. Are current staff overburdened? Do political or cultural barriers between business units exist? Are there scaling issues? Functions that are problematic for such reasons may be candidates for devolution.
If there is no dedicated security organization, which means that both IT and non-IT staff currently perform all security functions, the main problems are likely to be due to a lack of coordination. Such a situation indicates potential for establishing a lean governance function.
Find a new home for poorly performing security functions
Based on your assessments, identify alternative locations in the business or IT department for security functions that are unresourced, underresourced or performing suboptimally. Alternatives should possess the capacity, resources, political clout and business incentives to support the relocated functions. Another possibility is to outsource them to a managed service provider.
Many traditional security practices for endpoints and networks could find a new home with professionals in the IT infrastructure and operations team. Application security functions could relocate to application development and DevOps teams.
This approach can potentially result in the design of a “lean” security organization where a dedicated security leader manages centralized coordination of key governance and operational activities.
Pros and cons of the lean approach
Benefits come with taking a lean approach to digital security. For example, your business can circumvent the skills shortage in the cybersecurity field. Such an approach can also help build a broad understanding of security matters throughout an organization. This is entirely appropriate, given that all employees should understand and be able to manage the security implications of their jobs.
Moving security decisions closer to the business units affected can also help drive more informed decision-making, based on a better understanding of the underlying processes and business impacts.
A key disadvantage, however, could be that fragmenting the security role and security responsibilities across different reporting lines may disrupt coordination, especially in geographically dispersed organizations. Clear direction, strong governance and effective program management should be enough to keep this risk under control and help realize the benefits of a lean security organization.
Tom Scholtz is a research vice president and Gartner Fellow. He is also the chief of research for Security and Risk Management. He advises clients on security management strategies and trends, and is an acknowledged authority on information security governance, security strategy, security organizational dynamics, and security management processes.