According to Gartner, "Through 2022, 80% of organizations (up from 30% in 2018) will undergo some change in their security organization structure as a direct result of digitalization."
We believe Gartner’s report, Security Organization Dynamics*, establishes its exigence immediately with this sobering prediction, setting forth the problem statement to which the rest of the piece is a proposed answer.
The report includes a series of example security organizational strategies, from centralized, through federated and lean, and into specialized structural recommendations for small- and mid-sized businesses and those needing to account for cyber-physical security requirements.
However, in the process of presenting its examples and evidence, and making recommendations for consideration, the authors present some deeper observations about security overall.
Avoid the Comparison Trap
One of the core tenets – and cautions – that we feel Gartner’s authors establish is that security cannot be "one size fits all."
According to Gartner, "There is no single, universally accepted organizational model for security — there are too many factors that influence the design of an optimal team."
Organizational risk profiles, security stances and threat landscapes will differ, simply because no two organizations are created alike. This rule can even apply to different business lines within the same company, or even the same company at different points in its lifespan. One of the most important things to keep in mind, whether reorganizing or not, is that what works for one organization won’t necessarily work for all.
The Cyber Skills Gap Is Still a (Growing) Thing
The shadow of the growing cyber skills shortage necessarily envelops every security conversation, and we feel the authors of Security Organization Dynamics* have rightfully used it as the backdrop for their recommendations.
According to Gartner, "Persistent security skills shortages have forced security leaders to explore new ways of obtaining and managing security capabilities."
With more than 3.5 million unfilled cyber security positions forecasted by 2021, security teams are finding themselves increasingly short-staffed and missing critical capabilities needed to defend against today’s increasingly industrious and well-resourced attackers.
This means teams may need to find ways to organize "around" missing or hard-to-find skills and experience, without forcing the kinds of trade-offs that can potentially weaken any organizational strategy from the outset.
Per Gartner, "Don’t Try to Do It All"
The authors’ suggested principles for designing a security organization include a warning to avoid trying to be a one-stop shop for all security needs.
According to Gartner, "Few, if any, enterprises can afford to perform all security functions in-house. Consider selective outsourcing of functions, especially those that are operationalized or ad hoc."
Each organization will need to look inward first and determine the true need for hiring or outsourcing critical but inconsistently needed skillsets such as malware reverse engineers, threat hunters, intelligence specialists and vulnerability researchers.
Conclusion: Flexibility is Paramount
These three themes – understanding your own changing needs, keeping the big picture in mind, and making smart internal and external investments – all seem to point to one necessity for any security strategy, organizational design or business decision: flexibility.
Despite the best-laid plans, the ingenuity and resourcefulness of today’s cyber threat actors means that security teams of all compositions, maturity levels and staffing levels must be able to adjust as needed and call on a diverse set of common and uncommon cyber security capabilities to head off attackers and stay ahead of the latest threats.
FireEye has integrated exactly this kind of flexibility into its Expertise On Demand offering. Regardless of the type, size or composition of a security organization, FireEye can provide on-demand intelligence, investigations and capability improvement these teams need to be able to stay ahead of and thwart today’s increasingly flexible and capable adversaries.
Read Gartner’s Security Organization Dynamics* report today, and start planning your security team’s future.
*Gartner, Security Organization Dynamics, 7 May 2019, Tom Scholtz, Sam Olyaei