Too Much and Not Enough: Why Cybersecurity Is IT’s Top Challenge for 2019
One in four servers at the average enterprise is not fully up to date with the latest security and software patches, according to INAP’S new survey, The State of IT Infrastructure Management. And that’s not all: A majority of IT pros believe that the time it takes their team to address critical patches and updates leaves their organization exposed to security risks, meaning that the 25 percent of unpatched servers aren’t being addressed as quickly as they should be.
Factor in that patching is but one of many activities required for a comprehensive, Defense in Depth approach to cybersecurity, and there’s good reason to be alarmed. With daily reported (and numerous unreported) data breaches and the ever-present danger of human error, the task of maintaining enterprise cybersecurity has clearly become an enormous responsibility—and far too important to neglect.
So why are routine security tasks not being taken care of? It’s certainly not because security isn’t top-of-mind for IT professionals. When asked about their No. 1 challenge leading into 2019, over a third (36 percent) identified “protecting the organization from cyberattacks.”
Perhaps the answer then is deceptively simple: Cybersecurity is difficult, and it’s time-consuming work on top of already-full plates. Let’s dig deeper into what that means for enterprise IT infrastructure management and more importantly, what organizations can do about it.
The Need for Greater Security and the Move Off-Prem
What’s driving IT infrastructure away from on-premise?
When asked about the primary reasons for moving on-premise infrastructure to colocation or the cloud, nearly four in 10 survey respondents cited the need to “improve infrastructure or data center security.” This answer makes a lot of sense when you consider the immediate physical security benefits of hosting or colocating in a state-of-the-art data center, including round-the-clock personnel and multiple layers of access checkpoints before anyone gets close to a cage.
But data center security only takes you so far. The overall success of a security strategy hinges on how infrastructure, networks and applications are designed and maintained. Regardless of platform, this begins with smart solution architecture and continues across all layers with robust user access control, as well as 24/7 monitoring and log management to quickly identify potential breaches.
To be as secure as possible, your infrastructure must be designed from the start with your particular applications and security needs in mind.
As companies widely adopt hybrid and multicloud strategies, many find that working with trusted partners is crucial to not letting a growing attack surface overwhelm internal resources.
The No. 1 Quality Most Needed in an Infrastructure Solution
Given the damage that data breaches inflict on both bottom lines and reputations, it’s no surprise that 37 percent of our survey respondents identified security as the No. 1 quality they look for in an infrastructure solution.
The No. 2 answer—ease of system monitoring and management—is closely linked to security, as well. In a piece for CSO, INAP SVP of Global Cloud Services Jennifer Curry spoke about the challenge of systems monitoring and management in the age of the multicloud.
“The traditional monitoring tools don’t work in these environments,” she said. “You don’t have access to the network. You don’t have access to the underlying infrastructure.”
While this makes the daily—and critical—work of maintaining and optimizing your infrastructure challenging, visibility is key to security, especially as the average enterprise now hosts workloads across multiple data centers and clouds and uses countless more SaaS services.
Without a single, high-level view into the health and status of all these systems, the challenge of managing security in-house will only grow.
Too Much and Not Enough: The Catch-22 of Infrastructure Security and IT’s Time
To recap: Enterprise IT infrastructure is not as secure as it should be, due in part to everyday vulnerabilities like unpatched servers and an ever-growing attack surface. IT professionals are both aware of and worried about their organizations’ vulnerability, so what’s the missing piece?
Like so many things, it’s all about time.
Our survey found that only 60 percent of respondents’ job responsibilities are directly related to infrastructure. But as we covered in a recent blog on IT’s time, how they spend it and what they think about it, eight in 10 survey respondents identified at least one server- or cloud-related infrastructure task they spend too much time on. Nearly the same likewise identified a task they don’t spend enough time on.
Most compellingly, roughly the same amount said they spend too much time on information security management (24 percent) as those who said they don’t spend enough time on it (22 percent). While this divide at first seems puzzling, it’s very likely that those who say they spend too much time on it aren’t saying that because they don’t think it’s important.
Rather, the issue may be whether they believe that it takes up an appropriate amount of time relative to IT pros’ desire to devote more time to value-added tasks—not just the fundamental responsibility of “keeping the lights on.” And it brings up a related question: In 2019 and beyond, are routine security tasks and checklists a good use of the IT function’s time, given the need for IT to drive digital transformation?
Enterprise Security and the Question of Resources
IT pros feel crunched for time, so much so that some feel they don’t have enough time to devote to what they identify as their top challenge and priority for the year. From all sides, they’re being asked to do more with fewer resources than they feel they need.
Case in point: When we asked what one thing they wish their CEO knew, many respondents specifically mentioned feeling under-resourced to ensure enterprise security.
“I wish my CEO knew how much time, energy and especially money it takes to run a secure infrastructure,” one said.
For many organizations, adding more security-focused IT headcount is not a true option, no matter how much the function may need it. So what can IT do?
One straightforward way is to partner with an IT service partner, who can use both their resources and resources to take care of the routine security tasks falling through the cracks, while also giving IT much-needed breathing room to do the work that matters: the value-added work of digital transformation and innovation.
