Will Security Teams Lose Relevance in the Age of Decentralized IT?
As I discussed in Decentralized IT Clouds the Security Team’s Ability to Spot Risks, 74% of IT decision-makers in the U.S. and Canada reported that their organization has successfully decentralized its IT structure. With more business-technology decisions being made outside the IT department than ever, will security teams lose their ability to help guide technology decisions and, therefore, lose their relevance and ability to reduce risk?
“To remain relevant in the long term, organizations need to act today to ensure they know what technology their organization is using, including the applications procured outside of IT. Assess how that technology is managed and train every employee in the role they play in safeguarding their business,” advised Rob Price, principal solutions consultant at Snow Software.
“Times have changed, and security has to insert themselves into the conversations and procurement rather than waiting to be consulted,” added Greg Young, vice president of cybersecurity and corporate development at Trend Micro. “Push for visibility, plan for responses and negotiate to work in more sensors and blocking technologies where you can,” he said.
“With an increase in shadow IT and decentralization in some organizations, it is really up to the central security operations center and chief information security officer—and, hopefully, they still have those—to remain relevant through their actions,” Young added.
And to remain relevant through actions, Martin Nystrom, VP of security development for Lumen Technologies, added that security teams must provide contextual security expertise and facilitate the necessary risks of business growth with security technology that will mitigate risk with minimal friction. “Foundational security services that enable security incident response, compliance and protections enable business leaders to use trusted solutions rapidly to solve their problems,” Nystrom said.
He recommended paying close attention to the following technical controls:
- Catching SaaS and IaaS purchases at the procurement office, and routing purchases to approved cloud solutions.
- Embedding security controls into approved SaaS and IaaS offers and ensuring those controls are protected and monitored.
- Using API integration to rapidly adapt purchases into existing security protection and event monitoring.
- Deploying comprehensive attack surface management tools including inside-out and outside-in visibility to spot shadow IT’ deployments and abandoned applications/services.
- Gathering visibility and gaps into board-language risk assessments and regularly briefing the board of directors about known risks to bring rogue deployments into compliance.
- Leveraging threat intelligence to stay atop threats targeted at one’s business. A mature security team with a grasp of known bad actors and their tactics, techniques and procedures (TTPs) will know how to spot and respond to attacks across the attack surface.
Jim Burger, director of trust and security at Octopus Deploy, said teams must collaborate more closely with various business units. “The key is partnering with other teams to find ways to support and anticipate their needs, particularly around good decision-making, risk and cost management, training and problem detection. At times, this will mean having security team members working directly with other teams as consultants,” he said.
“There is still a lot of value that can be added to conversations to ensure that security is not an afterthought. Applying a risk-based and maturity-level approach can also help other leaders walk the path with you and understand your perspective as a security professional,” added Burger.
Ultimately, most agree that while how the security team engages with the organization may change, security as a whole will always remain relevant.
“Security teams will always be relevant as a trusted pillar within organizations. You can’t be an expert in everything, so you will always need people who are savvy in security to ensure organizations stay one step ahead,” said Danielle Deibler, co-founder at Quad9. Deibler advised teams to hone skills like relationship building and to deepen their understanding of communication skills in a dynamic, interdisciplinary environment. “
That means security teams should focus on their visibility and accessibility in the organization. Their relevance will flow from setting and meeting expectations with users and showing empathy for what the end user is experiencing,” she said.
Doug Saylors, partner and co-lead of cybersecurity with global technology research and advisory firm ISG, agreed. “Security teams will remain relevant for quite some time. Adversaries are not going away. They are better funded every year and have tools and technologies as good as, if not better, than their targets,” he said.
And once there is a breach, things change quickly and organizations often pivot their strategies. “I’ve seen more large organizations move to a centralized IT after an attack than becoming more decentralized,” added Young.