If your time to you is worth savin’
Then you better start swimmin’ or you’ll sink like a stone
For the times they are a-changin’
It’s pretty unlikely Bob Dylan was talking about IT security with his 1964 classic, but things are definitely changing in the field. CompTIA’s 2015 IT Industry Outlook predicted that companies would be discovering new approaches to security this year, and our Trends in Information Security study shows how this new mindset is starting to take hold.
In general, the defining characteristic of modern security is the expanded breadth that is involved in trying to secure an organization’s assets. The traditional view of a secure perimeter has been eroding for some time, but many companies still struggle to understand the full range of actions they should be taking now. In fact, CompTIA’s IT Security Community spent a lot of time discussing these areas of risk and opportunity at AMM.
Aside from new additions to the technology toolbox like DLP and IAM, here are three areas where security requires different tactics.
New Starting Points
Many security conversations might start by emphasizing the importance of security and describing the many breaches taking place. However, most companies don’t dispute this point. Eighty-four percent of companies in CompTIA’s survey feel that security has a higher priority today than it did two years ago, and 85 percent expect security to be a higher priority in two years than it is today. However, most firms also feel that they are taking the right steps — 82 percent say that their current security is mostly or completely satisfactory.
Instead of starting with the importance of security and trying to put up a good defense in a vacuum, businesses should look at their IT operations and take appropriate action. Changing IT operations are cited by nearly half of all firms as a driver for changing their security approach. With cloud and mobility experiencing extremely high adoption, the number of firms changing IT operations is certainly much higher, suggesting a huge gap between current IT practices and current security postures.
New Training Options
The primary cause for security breaches is human error, and companies are now sharing specific examples of this behavior. As the workforce pushes more aggressively into new technology, they are more likely to make mistakes since security expertise is low.
The simple answer is to provide training, but that turns out not to be simple in practice. Many companies don’t focus on education as a core competency, and many security training packages don’t include methods for measuring success. With success in security usually characterized by the absence of a breach, measuring security has always been difficult. However, the most advanced companies are exploring new training measures that are measurable, practical, and focused on a wide range of scenarios.
New Partnering Opportunities
One direct consequence of security’s expanded scope is that it becomes much more difficult for a single team to cover all the bases. At an enterprise level, a CISO can have a team of people with different specialties to provide comprehensive coverage. This is not the case for SMBs, though. These companies tend to either have small internal IT teams or work with smaller solution providers. Either way, knowing everything that is happening in cybersecurity is a major challenge.
For channel firms, focusing solely on security and becoming a managed security solutions provider (MSSP) is certainly an option. However, a more likely scenario is that channel firms will find new ways to collaborate. A given company may choose to focus on one piece of IT and understand the security implications around that piece, then work with other companies to provide the full range of security options for a client. Likewise, those client companies that have been handling security internally up to this point may start looking for outside help in areas that they don’t understand as well.
No company wants to be the next security headline, but the fact that so many of these headlines are caused by routine security missteps shows that the current methods need to be overhauled. As businesses become more reliant on digital tools and data, best practices in cybersecurity will evolve to better protect assets, ensure continuity and preserve reputation.
Seth Robinson is CompTIA’s senior director of technology analysis.