In my last blog post, we talked about the “why” of security, and managed security as a trust business. In the marketing function, we get to see the whole range of NTT Security’s operations, and listen to direct feedback from the market and our clients.
Here are some additional impressions over the past three months:
Clients want to know what the game plan is – multiple steps down the road. A security or business leader tasked with ensuring the integrity of their operation wants to know the long-term view on where threats will emerge, and how to get ahead of the curve. In a recent call with a manufacturing company CISO, the entire conversation focused on our mid and long-term roadmap for imminent issues like securing Operational Technology (OT). When clients are dealing with legacy infrastructure, for example building management equipment, that falls outside of conventional IT platforms and monitoring, and there’s a challenge in managing that through a traditional Security Operations Center. For a unique take on this issue, please refer to our security challenge blog post.
The resourcing challenge
The skills shortage is real. According to the US Bureau of Labor Statistics, unemployment in the IT industry was 1.9% in April 2018, down from 3 % a year earlier. Conditions are even tighter in the security space specifically. In the case of one company in the nutrition industry, the director of security commented that time is their critical resource when running security operations with a limited team. For the organization, it’s all about “time to evaluate new and better technology, to continue to mature the cybersecurity program; basically, spend time on innovation rather than operations.”
All business is global
There are no domestic companies. Even if a business sells exclusively within the US, or is a mid-sized enterprise, almost everyone has a supply chain that touches the rest of the world (for NTT Security’s view on software supply chain risks, see our August Threat Intelligence Report). Take the example of one client in the data storage and recovery industry. It operates globally, including many countries where infrastructure is weak and legal underpinnings for business are still a work in progress. It needs to ensure that it is minimizing the possibility of data exfiltration and reputational risk, wherever it does business.
Context is king
It’s all about context, when deciding what we need to protect and the appropriate balance among security, operational freedom, and cost. A great example delivered by a former federal security leader, at a recent conference – “what time is lunch” – has far different security implications between a corporate office in the suburbs and a military base in hostile territory. The sensitivity of that same information, and the investment and policy requirements to meet that standard, are vastly different in these two cases. It’s critical for security specialists to understand the industry or governmental function that we are supporting, and the unique nature of their operations.