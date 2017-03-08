In many organizations, the Security Department is often known as the “Department of No.” Being perceived as a business blocker, especially when it’s not your fault, is unfair. Unfortunately, security teams are in the unenviable position of having to protect businesses while facing significant blockers of their own. Some of the reasons why they are so severely hampered are:

A security architecture that is dominated by a seemingly unending list of on-premise hardware appliance products.

Large, expensive deployments that are very complex with no guarantee of success.

A lack of integrations across products from different vendors and a limited view of context related to security events.

Legacy products that no longer deliver value but are deeply embedded in existing workflows.

Clearly a new model of security is needed, one that will transform security into the “Department of Yes” but without requiring them to compromise on protecting the business.

I believe that model is where security is a utility. But before getting into what that means, allow me to digress into the importance of utilities.

Utilities such as clean water and uninterrupted electricity and gas are such an expected part of our lives that most of us probably don’t think of the profound impact that they have. Consider water. 1 in 9 people worldwide do not have access to safe and clean drinking water. Lack of access to clean water perpetuates the cycle of poverty: a lifetime of walking for water which translates into missing out on education and less time to grow more food; poor health; and increased disease.

Not having to think about these basic utilities allows us to focus on more valuable activities. For example, a World Bank report shows that rural electrification greatly increases the quality of life (e.g., lighting alone provides increased study study time and extended hours for small businesses, power for televisions provides entertainment and information).

Security that’s available as ubiquitously as a utility will have a tremendous positive impact on enterprise security. If your security team doesn’t have to focus their efforts on deploying products or getting point products to work together or any of the multitude of mundane tasks that get in the way of them being the Department of Yes, guess what else they can do? Ensure that the business is better protected. It’s a well known fact that there aren’t enough skilled professionals to fill current cybersecurity job openings: there are 1 million unfilled jobs now, a number that’s expected to grow to 1.5 million by 2020. Many factors, including pay and type of work, play into attracting and retaining security talent. So with all else being equal, it is in an organization’s best interest to keep their security teams engaged with higher value, more meaningful work.

You may be wondering what are the defining features of security as a utility. In my opinion, here are the most important ones.

1. It must always be on. You turn on a faucet and, as you expect, water flows out. Security as a utility must be not different. If you want to monitor, detect or prevent, you should be able to without giving any thought what needs to be done to make it happen.

2. It must be available on demand. As seasons change from summer to winter, the gas used by the furnace that heats your house will increase without you having to worry about where the additional gas will come from. Security as a utility must be no different. You should be able to use as little or as much need, without having to think about how to source additional resources.

3. It must be accessible anywhere. You expect to use electricity anywhere in your house, not just near where the electric main comes in. Similarly, security as a utility must be available anywhere and not not just limited to the enterprise perimeter, which is often the limitation with traditional appliance-based security products.

4. It must work with what you already have. It would be incredibly inconvenient if you had to purchase multiple different kinds of electricity in order to make all your household appliances work. Things are no different within the enterprise as you’ve probably already made a variety of technology purchases (e.g., endpoint protection, ticketing systems). Security as a utility must work with them so that you can get the most from your existing investments.

5. It must have a memory. This is where the analogy with breaks down but that doesn’t diminish the importance of this feature. Multi-stage attacks are becoming the norm. Security that only evaluates the present using available intel misses the opportunity to find attacks that happened in the past as new intel becomes available. There are benefits to evaluating the past for threats. Multi-stage attacks gestate over long periods, so by finding them in the early stages of the kill chain you can mitigate their impact. And knowing what happened in the past enables you to be better prepared for similar attacks that may occur in the future.

Security as a utility that can provide these features will be a game changer. The perception of the Security Department as the Department of No will be a distant, fading memory. Instead, security teams will be viewed as partners for safely enabling the growth of the business.