Continuing on from my last post titled Security and Disruptive Innovation Part I: The Setup we're going to take the general examples of innovative technological industry disruptors in slide 3 and highlight some security-specific examples to bring the point a little closer to home.
In this case, we're going to reflect upon security practices, movements and methodologies and how disruptors, market pressures and technology are impacting what we do and how. The point of this is to discuss a framework of how to embrace and manage the process of evaluating emerging technologies and disruption and manage to it proactively.
13. Examples of Disruptive Innovation in Security
As we demonstrated previously in slide 3, the impact that disruptors in the right-hand column caused against those who enjoyed market dominance in the left-hand column was profound. In many cases, they incumbents never saw it coming.
Some of these shifts were incremental and some were radically game-changing. Some took quite a while to catch on, while others benefited from the viral "sneezers" (as Seth Godin is fond of saying.)
Here we see a list on the left featuring established thought leadership, generally observed practices and methodologies and what some might describe as the status quo within the security industry.
The corresponding list on the right represents emerging disruptive innovation and technology. Most of you should be familiar with these issues. To some, they are merely background noise -- glacially eroding the landscape while the day-to-day priorities are dispatched -- while to others they represent pressing business concerns and abrasive friction, threatening the manner in which security programs are executed and competing for attention at every turn.
Let's take a look at each of these samples in more detail; the slides are just talking points, so I'll add color in the accompanying text. This will be split into a couple of posts.
14. The Outsourcing of Security
In my experience, outsourcing in general provokes a visceral response no matter which side of the fence one may choose to sit. Pro or con, outsourcing of services is a due matter of course in today's world.
Whether the motivation is taking cost out of the business, focusing on competencies, the transference of risk or improving operational efficiency, if you haven't felt some impact from the outsourcing movement already, you surely will at some point shortly.
If one starts poking around the notion of outsourcing "security" functions to resources outside of an InfoSec shop's interal corps, it's often bound to generate sparks.
In general, my observations have been that InfoSec staffers become incredibly defensive about the feasibility and perception of security when discussing outsourcing elements of a security program. Many of these arguments are instinctual and not business-driven but are autonomic and reflexive. It's really hard to let go of the fact that the value we purport to provide the business is, in many cases, becoming a feature set of a larger operational machine.
In many cases I have personally witnessed, the arguments against outsourcing security are supported with knee-jerk comments citing "possible exposure," "unacceptable risk," or "regulatory issues" but rarely have any hard data (read: quantifiable metrics) to back them up. Neither hope or FUD is a very good strategy.
The reality is that in many cases, mature operational functions represent excellent opportunities for outsourcing. Many of these have capital and operating expenses that can be reduced or altogether eliminated and allow for the "security" team to focus on more important things.
Common examples of outsourced low-hanging fruit security functions today include:
- Managed firewall
- Managed Intrusion Detection/Prevention
- Vulnerability Assessment/Management
- Secure Messaging
Combined with operational models such as Software as a Service (SaaS) which we're going to talk about shortly, we're even seeing examples of outsourced application and code analysis, complete application outsourcing, etc.
Obviously this all comes down to the type of business you're in and the risk associated with letting some other party operationalize elements of your business processes, but it's happening in a big way and will continue to do so.
I've personally witnessed and example of Fortune 500 companies dissolving their entire operational administrative and security teams and sell their data center hard assets to a management services company. This company then leases back the management of the IT and Security operations as a service allowing the security team to act as architects and focus on more pressing relevant business issues instead of firefighting. They become much more strategic and integrated with the business.
The disruptive argument for outsourcing revolves around addressing the issue of spending time and money paying legions of administrators and security folk to perform tasks which are often times not critical and do not add business value and that can be obtained elsewhere at competent levels of quality (or perhaps higher) that are also faster and cheaper.
How would you take the cost savings/avoidance benefits of outsourcing and describe how you might invest it elsewhere in your security spend to demonstrate better alignment to the business?
15. The Consumerization of IT
A good number of security professionals are also masterful consumers and collectors of toys of one kind or another. As aficionados of all things tech, you'll often find even the most conservative security wonks lining up to buy the latest kit with the newest features on release day.
Rationalizing why we might need to upgrade to a phone with video playback, camera, massive storage, WiFi, web browsing and open API's is easy: flexibility, agility, efficiency, connectivity...it let's one do what one wants/needs/likes to do faster, better, easier, and cheaper, right? At least that's what we tell our wives ;)
In what can only be described as a case of clinical schizophrenia, the same iPhone-toting CISO might also be the first to rail against the introduction of these new technologies within the enterprise despite the exact claims and justifications being made by the business.
New technology is often introduced into the organization and championed under the same banners of enhanced efficiency, agility or customer experience, and these initiatives are often critical elements that a business invests in so as to secure a competitive business advantage against the competition.
Strangely, the business value for the adoption of many of these consumer-based technologies entering the enterprise (even if it's merely "good will") is often times ignored and cast aside in the name of "security" with the overriding inflexibility chalked up to "implied" risk, undisclosed (invisible?) vulnerabilities and simply bad "juju" -- all grouped under the iron-clad containment of the almighty "security policy."
Now, there are also many very reasonable reasons to suggest that allowing employees to use consumer technologies within the enterprise is a difficult concept: support, confidentiality, privacy, regulatory requirements. There are valid issues to be dealt with and awareness of the impact by the business of what their decisions to allow this sort of technology to be used is really important.
There are two dirty little secrets that must be accounted for when discussing the consumerization of IT within the enterprise and your business constituents:
- It's not Security's place, birthright, charter or problem to be the judge, jury and executioner as to what is allowed or not allowed. It *is* Security's job to advise the business and allow them to make a (gasp!) business decision on the matter.
- They're doing it anyway and will continue to do so.
If a technology or innovation allows an employee who actually contributes to the bottom line to do his/her job better, more efficiently, less costly and helps driven revenue that contributes to your budget (read: paycheck) why is this bad thing!?
If you're doing your job, the business will take your advice seriously and will make a decision based on fact. They may decide that despite your advice, the technology or innovation is compelling enough to outweigh the potential risk. Other times they might not.
Either way, you've done your job.
Remember when WiFi first appeared? Most enterprises and their IT and Security teams vehemently attempted to prevent its use by policy citing the lack of business need and security concerns. There were certainly security issues that needed to be solved, but today WiFi has emerged as a disruptive technology that is indispensable as a tool. If you have remote employees, you are first-row-center observers as to how WiFi as a disruptive innovation has changed the landscape.
Many companies have these enormous virtualized and distributed workforces. To facilitate such a decentralized model, these companies are beginning to embrace a program that my company calls the "Digital Allowance."
Digital Allowance provides an annual stipend to employees to allow them to go out and purchase technology that they will use to do their jobs. They can use their home computers, their iPhones, etc. to do their jobs if it meets pertinent and reasonable requirements.
It is the job of the IT and Security teams to provide a safe and reasonably secure computing environment to allow employees to do their jobs without putting the company in harm's way.
This sort of program is taking off as companies realize that consumer, pro-sumer and enterprise technologies are colliding at velocity of change that makes it difficult to distinguish between them and the business benefits outweigh the downside. In fact, my company has a business consulting practice that teaches other companies how to put these programs in place.
Most security professionals curl up in a fetal position (as I first did, admittedly) when considering this sort of program. How are you dealing with the consumerization of IT within your company?
Up Next: Part III - The Examples Continue...