Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
1/28/2016
10:22 AM
Scott Montgomery
Scott Montgomery
Partner Perspectives
50%
50%

Why InfoSec Pros Should Keep A Close Eye On Cyber Efficiency

No organization will ever be impervious to breaches, but efficient organizations can lower their overall spend.

The intense demand for trained information security and privacy practitioners is reflective of the convergence of technology, productivity, and profitability. CIOs and CISOs that balk at enabling more mobile, cloud, and Internet of Things (IoT) tools not only find themselves in a cultural conflict, but as more and more devices become IP-enabled, reluctant security practitioners will also find themselves at odds with the business or mission of the organization.

For instance, Boston Consulting Group indicated that the remote cardiac monitoring market in the US alone would eclipse $1 billion in 2016, a specific example of the convergence between technology, productivity, and profitability. The ability for a doctor to remotely adjust a pacemaker without a patient visit or in an emergency situation has a profoundly positive impact on patient care. Information security and privacy practitioners simply must find a way to enable this kind of technology while encompassing the risk as best they can.

At the same time, there is a systemic personnel problem. There are simply far too few trained information security and privacy practitioners available to organizations; the baby boomer generation is taking decades of experience with it into retirement; and the prospects for replacing them are bleak. The 2015 (ISC)2 Global Information Security Workforce Study estimates two global labor gaps: the gap between the existing workforce and what the respondents’ companies are funded to hire (600,000 workers), and the gap between the existing workforce and what those companies believe the need is (1 million further workers). As more devices become IP-enabled for the first time and need to be incorporated into an organization’s information security and privacy posture, the tax upon practitioners will become even more pronounced. Also, for the first time in the (ISC)2 study, practitioners have become acutely aware that the premise that they’ve used for the last 20 years -- buy unique tools for each specific IS and privacy problem -- has created an unwieldy “sprawl in security technologies.”

All of these conditions -- demand, expanding IP footprint, convenience, cost reduction, and insufficient trained practitioners -- create an untenable competition between business or mission enablement and security. Evidence of this competition can be seen in the dramatic increase in time from breach detection to remediation. The (ISC)2 study results show a troubling trend indicative of a workforce stretched by demand and sprawl, as indicated in the chart below:

It is for these reasons that dramatic improvements in both efficiency and efficacy should be the goal of any decision IS teams are considering. The ability to get to solid results quickly is the only way that teams can compete with the mathematical problems described above. Any decision regarding methodology, vendor, product, or service that doesn’t demonstrably increase efficiency and efficacy is a bad decision.

Organizations that invest in ensuring that their infrastructure becomes more streamlined, automated, interoperable, resilient, sprawl-reducing, and focused will stay ahead of the math and enjoy the most important results.

No organization will wind up impervious to breaches, but efficient organizations will lower their overall spend by consolidating the number of vendors, tools, and services they use; reduce their labor-hour costs by ensuring automated means of execution; reduce the number of events that operators and analysts need to respond to manually; and shrink the hours operators and analysts spend by reducing events requiring follow-up to fewer, more noteworthy events. The time between breach and detection and the time between detection and remediation will drop measurably, ensuring that breaches don’t have a material effect on the business or mission of an organization.

Over the next few weeks, I’ll explore several techniques that will allow organizations to improve their efficiency and efficacy and reduce the labor hours and per-hour costs associated with operations.

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HusseinB453
50%
50%
HusseinB453,
User Rank: Apprentice
1/28/2016 | 3:46:25 PM
A refreshing and insightful perspective
I was delighted to find this article and the sentiment is conveys resonates with me. As an advocate of KnowIT aka 3IT (NoDev, NoOps and NoIT) Scott's assertion:

"Any decision regarding methodology, vendor, product, or service that doesn't demonstrably increase efficiency and efficacy is a bad decision"

Rings true and echoes the assertions of the NoIT and NoDev principles:

"Eliminate IT systems that demand the attention of humans" and "Only engage in development projects that unambiguously and unequivocally generate revenue for the business or enhance customer experience"

Decisions pertaining to Cyber Security must be held to the same principles. While it may be a stretch to say that poor Cyber Security spending can kill a business; burdensome administration, proliferation of manual processes and the introduction of disjointed IT systems can have a greater negative effect on the bottom line than the secrutiy threats they purport to mitigate.

There are emerging technologies that can make a great impact on increasing the ROI of Cyber Security and CISOs should seize the opportunity to leverage innovation to reduce costs and streamline the administrative processes they own.

I look forward to your future article on this subject. 

 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.