I was recently re-reading the Ponemon Institute’s ‘2012 Global Encryption Trends Study’, where they interviewed 4205 IT professionals worldwide to evaluate how organizations are handling encryption strategy these days, and one statistic really jumped out at me – only 14% of the responders indicated that IT Security was responsible for driving the organization’s encryption strategy (IT Operations was #1 with 37%). Most security professionals tend to spend a lot of time and effort developing and maintaining their expertise around encryption technologies and solutions, and they are probably wondering if that investment is going to be worth it in the future. That’s not the only thing I’ve noticed – there are a lot other trends that are starting to impact Security’s traditional roles and responsibilities:
– There’s been a significant shift in responsibilities around identity and access management; tools like RSA’s Identity Management and Governance (IM&G) have traditionally been targeted at IT Security teams, but in the majority of my customer interactions over the last 12 months I’ve noticed that it’s the IT Ops team that tends to be most interested in the tool, since they handle all identity and most access management requests.
– I’ve also noticed that in many instances LoBs and application owners are demanding that they control access rights to their own applications and data without having to go through IT Ops or Security.
– The migration of traditional IT to IT-as-a-Service (ITaaS) is having a significant impact – With the capability for any LoB or end-user to quickly request and stand up a new virtual server with the click of a button, and the migration to rapid application development capabilities like Agile, there are fewer extended project processes for IT Security to get plugged into to drive unique security requirements.
– The ability for LoBs to contract and manage their own IT services via public cloud offerings is in many cases cutting IT Security (as well as IT Ops) out of the loop entirely (usually referred to as ‘shadow’ or ‘stealth’ IT)
– The network team is taking over responsibility for configuring and managing tools like firewalls, VPNs and NIDS/NIPS.
– Vendors are (slowly) expanding the security capabilities and functionality built into their products, reducing the need to architect and implement extensive discrete security products.
So with all of these shifts in roles and responsibilities, where does IT Security fit in? In the future I see IT Security as having 2 distinct roles. The first is as an internal distributed consulting team – IT security will provide personnel that will sit in the various IT and LoB groups to work with them to provide the expertise necessary to ensure solid and appropriate security is integrated into all of their projects and activities. The critical aspect of this is that the ‘local’ security resources be viewed as part of the team, supporting the team’s needs and goals, not as an outsider trying to impose what are frequently viewed as onerous requirements. These consultants will most likely still be matrix managed by a central Security management structure, and will take their overall guidance around policy and standards from that group.
The second security role will focus on a more traditional function, albeit somewhat expanded – Security Operations. IT Security will implement and manage a full-time security operations center (SOC) and incident response capability. The rapid growth in infrastructure complexity and distribution combined with the growing sophistication and capabilities of potential attackers will result in an almost perpetual state of compromise for even the most basic organization. The increasing dissolution of the artefact formerly known as the ‘perimeter’ will require expanding the collection of event log information across and outside of the on-premise infrastructure, increasing the volume of information that must be collected, analyzed and correlated against external intelligence. This will result in a much more rapid and frequent discovery of compromises, which in turn will necessitate an almost continuous response capability.
Cloud, big data, mobile devices, social network and myriad other technologies are rapidly changing IT and, in many cases, the core organization itself. IT Security has an opportunity to redefine itself in the organization to better align with the reality of how business will function going forward.