Consumerization: The specific impact that consumer-originated technologies can have on enterprises. – Gartner
More and more, enterprises are coming to understand that they need to adopt the agile processes and product strategies of startups in order to compete in today’s markets. But there is a parallel problem in enterprise security that is not being addressed. And simply tweaking your internal processes won’t solve this problem. A different approach is needed.
We read the stories every day. The number and severity of security attacks keep growing. More and more businesses are being breached more and more often — and it’s happening in major cities, too. For example, this past December in New Orleans, the city told employees to “power down computers, unplug devices, and disconnect from Wi-Fi” after a cyberattack struck the city’s computers. Although 911 emergency services were not affected, the police department also shut down its entire IT network.
Increasingly, we see governments, organizations and enterprises all struggling with cyberattacks. And, disturbingly, they are increasingly failing to keep up with attackers.
The fact is, agile processes and improved efficiency won’t solve the growing security problem. Nor will throwing more personnel at it. That’s basically what businesses are doing, and it is not working. Businesses are falling behind the attackers. Something has to change.
What is needed is a new way of thinking about security.
When you get millions of alerts, and you respond by looking for more trained tech to troubleshoot the alerts, you’re pursuing a strategy that doesn’t work. For one thing, you won’t find the talent. For another, the strategy doesn’t scale. As you add security tools and staff, you multiply the complexity of your security operation. What you need to do is reduce the complexity.
It’s helpful to step back and ask, “What would a desirable, effective security solution look like?” I suggest that it should be as easy as using an iPhone app.
“Hold on,” you say. “The IT market is not like the consumer market. There are different challenges, different expectations, different skills required.” And that’s all true. But that’s just a description of the challenges to be faced.
Consider the security and privacy challenges in the consumer space. Consumer products have to be easy to use, or they won’t sell — particularly for a problem that is invisible to the consumer most of the time (until it bites you). Tools should be easy enough for consumers to use and powerful enough to give them ownership of their privacy and security. That’s hard to achieve, but consumer software development is all about empowering users without overwhelming them with complexity.
And that has to be the goal in the enterprise as well. Just as easy as it is for a consumer to use an app, it should be equally easy for a company to protect itself and have good cybersecurity by using fewer staff and requiring less specialized training. That should be the target.
We call this goal the democratization, or consumerization, of cybersecurity. And it is the right goal. It’s also very difficult. To write cybersecurity products that are as simple and easy to use as consumer products is so difficult that no one has been up to the task.
It’s very easy to generate a new security tool that handles lots and lots of alerts. But making it simple so that you only address real threats, and so easy that it doesn’t require extensive training, is what we’re talking about when we refer to the consumerization of IT security. And it’s hard.
It reminds me of the famous saying by French mathematician Blaise Pascal, which is often attributed to Mark Twain: “I would have written a shorter letter, but I did not have the time.” Simple is hard.
But it can be done. We know what consumer-grade tools look like. And we know what cybersecurity challenges businesses face. The task before us as an industry is to fit these two things together. It will require greater attention to user interface design and highly automated threat detection.
The consumerization of IT security — consumer-grade ease of use, plus enterprise security expertise — can meet the cybersecurity challenges of today.