IT Sourcing Needs a Cybersecurity Mandate If They Don’t ‘WannaCry’
An evil cyber force reared its ugly head (yet again) to launch an unprecedented ransomware pandemic in mid-May 2017. The severity of the cyberattack – 10,000 organizations and 200,000 individuals were impacted in over 150 countries causing billions in financial losses – was a staggering demonstration of the under-preparedness shown by enterprise IT security teams to tackle issues related to cybersecurity. Considering the attack mostly targeted systems that were running on older versions of Windows (Windows XP which has been long retired with no security patches released since April 2014), it also serves as a timely reminder for IT procurement to exercise a more proactive approach when it comes to managing information security spend and setting up timely upgrades of operating systems.
As Paul Virilio famously quoted, “The invention of the ship was also the invention of the shipwreck.” The massive wave around internet and mobility technologies has lent itself to an ever-expanding online footprint for enterprises, and this has exponentially increased the risk of exposure to cyber-attacks. Here are some telling statistics from the previous year that reinforce this point:
- In a matter of a single quarter (Q3 2016), 18 million new malware samples were captured, an average of 200,000 per day (Source: Panda Labs)
- More than 4,000 ransomware attacks have taken place per day since the beginning of 2016 – that is a 300% increase over 2015; between January and September 2016, ransomware attacks on businesses increased from once every 120 seconds to once every 40 seconds (Source: CCIPS and Kaspersky)
- Phishing emails continue to grow as attack vectors for ransomware – the amount of phishing emails containing a form of ransomware grew to 97.25% during Q3 2016, up from 92% in Q1 2016 (Source: PhishMe 2016 Q3 Malware Review)
Facts presenting the enterprise perspective in the aftermath of such rampant cyber-attacks present a grim picture:
- 52% of enterprises that suffered successful cyber-attacks in 2016 are likely to not attempt any course correction in their security plans in 2017; making a winning business case for increased budget still seems to be a humongous task for many (Source: Barkly)
- 45% of organizations who suffered an attack last year, expect their cybersecurity budgets to stay the same; 7% of such enterprises expect their budgets to decline (Source: Barkly)
These are telling signs about the lack of seriousness resulting in unstructured enterprise approaches towards cybersecurity. With little doubt, the enterprise statistics will change in the wake of the ‘WannaCry’ event. And the enterprises’ dependence on such cataclysmic events pushing awareness and adoption levels up, is concerning and certainly needs a change. Standard & Poor’s recent announcement about considering a firm’s cyber resilience capabilities in their credit rating—with the warning that firms with poor cyber resiliency features are likely to be downgraded in ratings—is likely to give a positive thrust to the adoption levels.
So, what is Cyber Resiliency? And How Do Enterprises Become Cyber Resilient?
Cyber resiliency is a reflection of an organization’s ability to identify, prevent, detect and thwart process and technology failures (triggered through online sources) ,and protect financial and reputational harm. In the present day scenario, building cyber resiliency should focus on managing three different risks: IT, business and financial. The stakes for businesses are extremely high across these different risk variants and yet most risk aversion approaches are inefficient and crippled. Here are the factors that continue to counterbalance the enterprises’ approach towards cyber resiliency:
The ownership of the information security portfolio spans multiple stakeholders and includes Chief Information Security Officers (CISOs), Chief Risk Officers (CROs), Chief Information Officer (CIO) and Product/ Service line heads with no clear distinction of accountabilities. The proverb, “Too many cooks spoil the broth” perfectly applies to this situation. Insufficient business involvement and treatment of cybersecurity as a technology issue are major bottlenecks.
- Talent Scarcity
Availability of talent to act on cybersecurity mandates has been a concern. Clearly security skill sets haven’t kept pace with the rapidly evolving threat landscape. Hiring skill sets specific to data analytics, application security and mobility, and expertise in cloud and virtual architectures has proved to be challenging.
Advisory to IT Sourcing Leadership
The hodgepodge surrounding ownership of the cybersecurity mandate also presents a golden opportunity to IT sourcing leadership to move the needle around cybersecurity outsourcing issues. Here are some recommendations to IT procurement when it comes to sourcing cybersecurity:
- Cybersecurity Spending
The current benchmarks for IT cybersecurity spending across enterprises hover between 6-7% of the overall IT spend portfolio. This includes the combined spend that enterprises devote to sourcing security appliances, software and service. Identity and access management and network security hog about 60% of this overall security budget. IT sourcing leaders are advised to factor in the aforementioned industry benchmarks, before assigning a magic spend figure to the portfolio. Security strategies and spend cannot simply be aimed at keeping the lights on (by meeting compliance and regulatory mandates). Sourcing should closely align with CISOs to segment spend that is dedicated to compliance objectives from spend that needs to be channeled into preempting ‘never seen before’ cyber challenges such as ‘WannaCry.’
- Sourcing Models
Given the highly regulated nature of certain industries and the portfolio, an outsourcing-only approach is highly unfeasible. As a rule of thumb, sourcing managers are advised to retain governance-related security functions (which involves enforcing security policies, standards and procedures and ensuring compliance) in-house. Outsourcing is a viable option for operations-related security functions (e.g., application security, identity and access management, firewall management, network management, vulnerability scanning, etc.). It is also prudent for sourcing managers to conduct due-diligence on available talent and outsource stacks where in-house talent is lacking (and it may seem difficult to source talent in the client’s specific region/geography). Do consider onboarding a Managed Security Services Provider (MSSP) when your specific organization faces constraints in building out Security Operations Centers (SOCs) and the necessary backbone for real-time monitoring. MSSPs, by virtue of economies of scale, are best suited in situations where organizations struggle to invest sizably for high capability and very technical requirements.
- Spend Rationalization
Cutting-back cybersecurity budgets cannot simply be an option, given the present day scenario. Sourcing managers must look to optimize spend while not compromising on their current security levels. While vendor consolidation and rejigging contract length seem to be absolute no-brainers that can rake in savings in the range of 3-7%, sourcing managers should also consider virtualizing security functions (potential savings generation of 15-30% in OPEX) and transitioning from on-premises to managed security services (10-15% over staff augmentation models). Sourcing managers will also have the option of considering software-defined security architectures (SDSec) in the near future. SDSec is yet to build momentum in terms of large scale commercial adoption. However, software-defined approaches in network architectures (SDN, SD-WAN) have already proved to be effective tools in terms of raking in additional savings.
Given the increased scale of cyber-attacks and the damages that enterprises have had to incur, it is about time that IT sourcing leadership considers having a specialized category manager for the security portfolio. Enterprises (with the exception of large BFSI organizations) need to rectify their approach of clubbing security with the broader software portfolio. The dedicated security category manager should work closely with the CISO across the above mentioned three areas, keeping a close-tab on the numerous regulations (PCI/DSS, Sarbanes-Oxley, HIPAA, NIST, ISO270001, etc.) and ensuring zero-tolerance towards compliance related issues, further sharpening the sourcing strategy, and readying a roadmap for adoption of upcoming applications and/or platforms (viz., cognitive security platforms, breach detection platforms, hunt operations platforms, crowd security intelligence platforms, etc.) to drive operational excellence in the category.
About the Author
Budhaditya Banerjee (Budha) has close to a decade’s experience as an IT subject matter expert. He currently leads GEP’s IT advisory business which involves handholding CIOs and IT category leaders on an array of complex sourcing and category management issues. Budha is a trusted voice with his clients on issues relating to legacy and the disruptive IT offerings.