IT departments’ war to keep their assets safe resembles one of those alien-fighting video games, where new assailants keep swarming the bunker and you have to carefully -- but quickly -- choose your weapon.  

But the number of threats, and the tools to combat them, are only part of IT departments’ problems. According to a Forrester Consulting study recently commissioned by IBM, 63% of companies have understaffed IT departments, and slightly more than half cannot find employees with the right skills to keep the intruders out. recently spoke with IBM Enterprise Security Executive Davis Puzas about that company’s view of the battle.

“There’s a new threat every single day,” Puzas said, adding that “it’s vastly different from just a few years ago.”

He noted that IT departments “used to be reactive” to threats, but now -- given the amount of data being communicated, the rapidly morphing kinds of threats, the widespread use of clouds and social media, and the number and kinds of devices being used -- they “have to be pro-active.”

Puzas pointed out that “you can’t just sit there and react -- you have to leapfrog in front of the threats.” CIOs are looking for a “better view” of their battleground, he said, and they are looking “to become more intelligent.”

Editor's Note: Read Next Generation Security, Protecting the Cloud and Mobile Devices


Mobile Security Experts ‘Just Not Available’

The Forrester study found that 68% of the surveyed 2400 North American and European enterprise decision makers had “little time for proactive and preventative projects due to existing responsibilities.”

Tools can help a company be pro-active, Puzas pointed out, but the intelligence arises from the people who implement them. “We find that many organizations are struggling to find the skills to take this on,” he said, and security professionals with the needed skills are now in heavy demand and “expensive to find, while budgets are tight.”

As one example, Puzas pointed to experts in mobile security, the most urgent battlefront for many IT departments. “They’re often just not available,” he said.

The Forrester study pointed out that “information security teams exist in an environment where ‘no’ is the wrong answer, yet the existing responsibilities absorb all of their time (68%) and new resources are hard to find (53%).” Given these conditions, the study said “consideration of security-as-a-service appears a clear and reasonable response.”


A 2011 report by Frost & Sullivan found similar evidence of the skills gap. It said that while half of its respondents reported having private clouds in place and 40 percent were using software-as-a-service, over 70 percent of professionals said new skills were needed to properly secure cloud-based technologies.

These kinds of stats, of course, represent continuing opportunities for IBM, given their strengths in security-oriented professional services and their managed services.

The Forrester report said that expectations for security-as-a-service include better quality control, faster delivery, very focused skills, delivery over a longer period of time and, of course, a lower cost.

Forrester defines security-as-a-service in broad terms -- a service that is hosted by a third party, billed on a pay-per-use model, or delivered based on multi-tenant architecture.

The research firm found that the most popular areas for security-as-a-service are email filtering, used by 42 percent of respondents, network firewall monitoring or management (33 percent), and web content filtering (31 percent). Vulnerability assessment, message archiving, host event log monitoring or management, and end point security were all in the 20 percent range, while identity and access management, regulatory compliance, application security, and distributed denial of service protection were in the teens.

‘More with Less’

But security-as-a-service has its own issues. Forty-six percent of the respondents in the Forrester study said that the expected workload reduction was not realized from outside services, and 43 percent said that “significant customization was required.” Forty-one percent said that vendors did not meet their service level agreements.

Other issues, reported by about a third or more of respondents, included complaints that escalated alerts were not accurate or detailed enough to allow proactive response, the expense of the service outweighed its value, the output was incompatible with key systems, coverage was incomplete, performance or supplied filters were inadequate, or reporting and metrics were unsuitable.

A key driver of the demand for outside services has been the “more with less” mantra that IT departments have had drilled into them throughout the era of rising threats and lowered budgets. But even when budgets return to normal, IBM’s Puzas said there will still be “a need for consulting services” to satisfy IT departments’ security needs, because of a combination of trends that are only increasing.

‘Sheer Sophistication’ of Attacks

These trends include the boom in the use of massive amounts of data, the proliferation of devices and device types, access and use of email and social media, and what Puzas called “the sheer sophistication” of each new wave of attacks.

To maintain security in all of these areas, but especially the last one, Puzas said that it takes “a tremendous amount of research to keep clients ahead of the threats” -- another reason, he said, that outside consulting services will continue to be in demand.

Those consulting services, such as IBM’s, compete with IT departments for the best talent, driving up prices and diminishing the HR pool. To help seed the pond, IBM is supporting a CyberSecurity Innovation Program at a variety of universities, which provides assistance in building security-related curricula.

Title image courtesy of DM7 (Shutterstock)