As digital innovation and remote work pushes networks toward intensifying levels of complexity, IT infrastructure leaders (most frequent titles include VP of IT infrastructure and VP of IT infrastructure and operations) assume greater cybersecurity responsibilities. Security is no longer simply the responsibility of a dedicated team of security experts, but rather a shared responsibility that spans across different functions—and linkages between the VP of IT infrastructure and cybersecurity grow. This finding is pinpointed in a recent report on the IT infrastructure leader and cybersecurity—“The IT Infrastructure Leader and Cybersecurity: A Report on Current Priorities and Challenges.”
While IT infrastructure leaders are expected to build security into their different IT infrastructure components, they often lack the internal structures or metrics for success to accurately evaluate efforts. One of the outtakes from the report is that the remnants of traditional organizational silos still impede efficiencies and increase vulnerabilities. In this world of shared security responsibilities, CISOs need to understand how IT infrastructure leaders and their teams are measured and in what ways cybersecurity feeds into those measurements. These insights and others are included in the aforementioned report. Following is a deeper dive around the key takeaways for CISOs.
IT infrastructure leaders have always found themselves at the center of a complicated organizational wheel, responsible for the business efficiency of multiple enterprise stakeholders. The challenges of ensuring fast, reliable access across an enterprise network have always been formidable. But as digital innovation increases the speed and sprawl of networks, IT infrastructure leaders are finding themselves in a state of near-constant iteration and improvement to remain effective and viable.
The result of digital innovation is increasingly vast IT—and operational technology (OT) as well—networks, with data and applications residing in multiple clouds, network traffic being pushed to the network edge at branches and remote offices, and an explosion of Internet-of-Things (IoT) devices that offer threat actors countless low-security access points. As complexity restricts visibility and expands the attack surface, threat actors deploy faster and more sophisticated attacks.
In response, IT infrastructure leaders must leverage the power of integration and the speed of automation. Yet, most organizations struggle in doing so, often throwing point security solutions at new and evolved areas of the attack surface to cover vulnerabilities that result in complex, siloed security architectures that are time-consuming and difficult to manage.
Figure 1: IT infrastructure leaders’ confidence in their organization’s cybersecurity posture.
With the above in mind, the IT infrastructure leader becomes a critical constituent for the CISO. The following insights are useful for the CISO to understand when it comes to the IT infrastructure leader and cybersecurity:
IT infrastructure leaders struggle to manage relentless hyper-connectivity that is exacerbated by internal silos—and cybersecurity ranks as an important priority for them. Per the Fortinet study, 94 percent of them indicate they spend more than one-quarter of their time on security-related issues; over half estimate upwards of 50 percent of their time is expended on security matters. As many IT infrastructure leaders are peers to the CISO, most often reporting to the CEO or CIO (almost three-quarters of the time), achieving a clear understanding of roles and responsibilities—from who is the decision-maker or approver to who is simply a contributor or to be informed—is important for a successful working relationship between the two personas.
Cross-functional collaboration between IT infrastructure leaders and other departmental C-suite leaders as well as the CEO and board of directors is increasingly important where IT and OT decisions are critical business enablers and at lines-of-business level. These interconnections demand cybersecurity measurements, which must be made in concert with the CISO.
IT infrastructure leaders believe in the importance of developing and reporting clearly defined cybersecurity-related metrics—from network uptime, to faster time to market for DevOps, vulnerabilities found and remediated, and security infrastructure total cost of ownership (TCO), among others. Yet, research reveals a significant gap—more work is needed. For example, fewer than half of organizations indicate they measure tangible risk management outcomes, vulnerabilities found and blocked, and productivity gains from security measures. Further, only half of respondents measure intrusions detected and remediated, and only small majorities measure the cost and financial implications of security programs. This means that while IT infrastructure leaders are accountable for security success, they do not have access to the indices that allow them to accurately assess or course correct—much less the internal structures or resources to address issues.
Figure 2: Cybersecurity measurements tracked and reported at IT infrastructure leaders’ organizations
Likely driven by the above factors, only 43 percent of IT infrastructure leaders in the Fortinet study say they feel confident in their ability to protect against both known and unknown threats. They specifically cite too many manual processes as a factor in their ability to thwart zero-day attacks.
Regardless of how IT infrastructure leaders feel about their security alignment and abilities, the increasing rate of successful attacks reveals a clearer picture. Most IT infrastructure leaders have experienced multiple intrusions in the past 12 months, and these have had a tangible impact. Only 12 percent have not had any intrusions in the past year. More than half—57 percent—reported that at least one intrusion impacted employee productivity. More than one-third experienced intrusions that impacted brand awareness, data loss, revenue, and even physical safety.
Figure 3: Number and type of intrusions in the past 12 months, and their impact on the organization.
Many IT infrastructure leaders view their organizations as leaders in digital transformation, even while struggling with security integration. For example, more than half of survey respondents identify their organizations as early movers in digital transformation, claiming extensive cloud, IoT, and mobile adoption, with more than one-third indicating they are in the process of embracing digital transformation. Only six percent say they have not yet started down the path of digital transformation.
Yet, at a time when digital transformation demands a security-first approach to integration, IT infrastructure leaders are less confident when it comes to their security architecture. While performance impediment is still the most commonly cited security issue that IT leaders face, a lack of essential end-to-end integration is now a close second. Here, fewer than 10 percent of respondents report they have an end-to-end, integrated security solution, while more than half struggle to integrate disparate security solutions—which make full integration difficult to obtain and maintain.
A deeper dive into the report’s findings reveals that 35 percent of respondents manage siloed point products—an architectural incumbrance that creates more manual work by IT infrastructure and security teams. In addition to stretching overburdened teams, a situation exacerbated by the cybersecurity skills shortage, this ratchets up risk by creating new vulnerabilities that can be exploited at machine speed by growing numbers of bad cyber actors. Remediating these issues requires a new security architecture and further technology investments. However, this is a challenge for over half of IT infrastructure leaders, who reported no budget increase last year. And for nearly one-quarter of respondents who saw their security budgets slashed last year, this is an even bigger challenge to overcome.
While the increased rates of attack success experienced by IT infrastructure leaders is cause for serious concern, the 12 percent of those who had no successful intrusions offer a valuable path forward for the remaining majority of organizations. By separating that 12 percent and the 26 percent who report more than six intrusions in the same time frame, the result is identification of top-tier and bottom-tier respondents. And by comparing and contrasting these two groups, we were able to isolate the best practices that improve risks and drive efficiencies.
Perhaps no other factor is more critical to cybersecurity than an end-to-end, integrated security solution. While only nine percent of overall respondents had an integrated solution, those companies within the top tier were 419 percent more likely to have an end-to-end security infrastructure than those in the bottom tier. Integration is an issue across the entire security infrastructure. For example, top-tier IT infrastructure leaders with a software-defined wide-area network (SD-WAN) were 23 percent more likely to have it integrated into the broader network for full visibility than those who lack integration.
Figure 4: Security issues in the top three according to IT infrastructure leaders
Though measurement and assessment of intrusions is thought to be a standard practice by many, only half of respondents report doing so. Report insights certainly provide substantiation to do so: Top-tier IT infrastructure leaders are nearly twice as likely to do it. They also are more likely to keep security top of mind at all levels, particularly at the C-suite and board of directors. For example, top-tier IT infrastructure leaders report regular discussion of cybersecurity issues at every board meeting.
Just as DevSecOps is becoming a bigger priority for the CISO—7 out of 10 said they would soon be responsible for DevSecOps this year in a study conducted last year—that also seems true for IT infrastructure leaders. This is especially true for top-tier IT infrastructure leaders, who are 30 percent more likely to have DevSecOps in their list of top three metrics for performance review than their peers.
Top-tier IT infrastructure leaders are 21 percent more likely to have seen a cybersecurity budget increase in the past year. The fact that a majority of respondents did not see a cybersecurity budget increase for 2019 runs counter to what other personas report. This may be an indication that IT infrastructure leaders lack the insights and tools to demonstrate the business impact of security investments. A good starting point is the Fortinet report itself, where top-tier IT infrastructure leaders were 21 percent more likely to have seen a cybersecurity budget increase.
The threat landscape is becoming increasingly more difficult to combat—whether the result of speed, volume, or sophistication. Use of artificial intelligence (AI) and machine learning (ML) in threat intelligence and various security tools such as sandboxing plays a key role. They help IT infrastructure teams and their counterparts in security to keep pace with the ever-evolving threat landscape. They also help them to shrink windows to detection, prevention, and even remediation. Here, identifying unknown threats and zero-day attacks is increasingly important. This is an area where security infrastructure investments are having a positive impact: 21 percent of top-tier IT infrastructure leaders are more confident in their ability to protect against unknown threats. Further, only 43 percent of all IT infrastructure leaders express confidence when it comes to protecting and defending their organizations against unknown threats and zero-day attacks.
CISOs inhabit a dynamic business environment that consists of numerous stakeholders. Critical partners such as the IT infrastructure leader are a vital linchpin in their organization’s efforts to protect critical systems and data from malicious cyberattacks. By better understanding the cybersecurity trends and challenges facing the IT infrastructure leader, CISOs can forge deeper and tighter alliances that improve the overall risk posture while increasing efficiencies.
At the same time, gaps between the IT infrastructure and cybersecurity teams can have the opposite effect—driving up risk while incurring inefficiencies. Collaborative communications and projects between the two teams are a requisite for organizations seeking to achieve status as top-tier cybersecurity leaders. And it starts with the IT infrastructure leader and CISO.
Do not wait to get a copy of the report. Download it today.