Conventional wisdom dictates that an increase in cybersecurity threats requires ever-larger IT security teams.

Gartner fellow and research vice president Tom Scholtz says it’s time to think differently.

Speaking ahead of his track on security and risk at the Gartner Symposium/ITxpo in Cape Town this September, Scholtz says: “Digital business has changed the risk landscape permanently. Even in the unlikely case that there are no resource constraints, scaling up a centralised cybersecurity function as more and more threats emerge isn’t necessarily the best way to protect organisations.”

He says those considering a different approach must observe the principles of digital business security:

* Evolve security teams from being protectors of all infrastructure and data into facilitators of risk-based decisions throughout the organisation.

* Fully integrate security practices into the fabric of the organisation, rather than bolting them on and enforcing them through a centralised security function.

* Share accountability for protecting enterprise resources with business process, application and data owners – no longer is the security team solely responsible.

“These principles run contrary to the idea of building an ever-growing security team to cope with the ever-growing list of threats,” says Scholtz. “Many routine security functions can, in fact, be performed as well, if not better, by other IT or business functions.”

He urges organisations to assess their current security team’s effectiveness with a view to identifying functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT department. Determine which functions are working well, and therefore should not be disrupted, and which are performing sub-optimally or perhaps not at all.

Next, they should identify the root causes of security problems. Are current staff overloaded? Are there political or cultural barriers between business units? Are there scaling issues? Functions that are problematic for such reasons may be candidates for devolution.

If there is no dedicated security organisation, which means that both IT and non-IT staff currently perform all security functions, the main problems are likely to be due to a lack of co-ordination. Such a situation indicates potential for establishing a lean governance function.

Based on these assessments, organisations should identify alternative locations in the business or IT department for security functions that are under resourced or performing sub-optimally. Alternatives should possess the capacity, resources, political clout and business incentives to support the relocated functions. Another possibility is to outsource them to a managed service provider.

Many traditional security practices for endpoints and networks could find a new home with professionals in the IT infrastructure and operations team. Application security functions could relocate to application development and DevOps teams.

“This approach can potentially result in the design of a ‘lean’ security organisation where a dedicated security leader manages centralised coordination of key governance and operational activities,” says Scholtz.

A lean approach to digital security can alleviate the skills shortage in the cybersecurity field. It can also help build a broad understanding of security matters throughout an organisation. This is entirely appropriate, given that all employees should understand and be able to manage the security implications of their jobs.

Moving security decisions closer to the business units affected can also help drive more informed decision-making, based on a better understanding of the underlying processes and business impacts, Scholtz says.

A key disadvantage, however, could be that fragmenting the security role and security responsibilities across different reporting lines may disrupt coordination, especially in geographically dispersed organisations. But Scholtz adds that “clear direction, strong governance and effective program management should be enough to keep this risk under control and help realise the benefits of a lean security organisation”.