Despite great progress over the past few years, the overall cyber security market is far from mature and needs a general resetting of expectations between enterprises and service providers to adapt to emerging threats.
HfS Research recently released its Blueprint on trust-enabled security services (HfS Blueprint Report: Trust-as-a-Service 2015 and Provider, Provider on the wall, who’s delivering Trust for Digital?). During the development of this Blueprint, we conducted research with a variety of industry stakeholders, including: technology vendors, security service providers, cyber “insurance” firms, and, of course, enterprise users. Here are six key observations about the state of the cyber security market which touch on different trends and issues, impacting providers of security and Managed Security Services as well as enterprises looking to better protect, and leverage, digital assets.
- Managed security is generally 1.x: Enterprise buyers are still coping with (and occasionally asking for) traditional security systems.Despite the push to implement new and advanced cyber security technology and techniques, many enterprises are still asking for (and receiving) relatively vanilla security services that are primarily designed to handle the threats of 24+ months ago. While incremental improvement continues to work its way into the system, there is still a ways to go to achieve Security 2.0, including rethinking the way we evaluate the maturity of security implementations
- Security needs a new champion: The issues presented by cyber criminals, coupled with an increasingly digital, and extended, ecosystem now touch the enterprise outside of the organization of the CISO (chief information security officer). Security is increasingly viewed as an enabler of trust that directly impacts business with clients, partners and suppliers. Discussions of and investments in Security, Trust and Risk all require leadership at the executive, board, and investor levels.
- The innovation disconnect: While security innovations are announced regularly, they rarely make their way to the mass enterprise in a timely manner. Even more telling, and in line with our Security 1.x observation, while enterprises like to evaluate vendors that are innovators, enterprises are generally more comfortable deploying tried and true practices. Maintaining leading security means adopting innovative technologies and processes much more aggressively.
- Security can’t get no satisfaction: Security professionals who are “satisfied” with their defenses are living an illusion. Unless you disconnect, unplug, and physically seal your assets, there will always be a way to breech a system. Enterprises need to continually evolve their technology, their security services, and their business practices recognizing that digital/physical breaches will occur.
- There is no perimeter in the ecosystem: Total perimeter protection is a myth. The enterprise ecosystem today is rich, diverse and full of threats. From employees to partners and consumers, we live in an extended, and layered, environment of “fluid perimeters” that must be addressed holistically across all stakeholders. Technology alone cannot protect the ecosystem, it requires communication, coordination, and collaboration, as well as a vetting of security policies, processes and technologies between ecosystem partners.
- Security is a few cards short of a deck: Addressing security is like playing a game of poker knowing only a few of the cards – new issues appear with every draw, and you never know what the other side is holding. Technologies like IoT and physical access/control are the new wildcards: Expect regular surprises when you least expect them.
There are no easy solutions to achieving digital security, but we are optimistic that enterprises can achieve a higher level of security maturity even as they get better business leverage from their digital assets.
We recommend enterprises:
- Ensure they implement a solid infrastructure that can address the core “technology” issues (threat awareness, identity and access management, firewalls, malware detection, etc.)
- Press services providers to develop security services contracts that encourage adaptation and the addition of new technology and processes
- Evaluate risk in terms of not only data “at risk” but in terms of “corporate behavior and partnerships” that place the organization at risk
- Elevate the issues of digital security, consumer (and partner) trust, and risk management/mitigation to the executive and board levels.
