I recently read this interesting article by Robert C. Covington on the IT security talent shortage. He cites a telling statistic that virtually all companies (92 percent) that planned to hire information security professionals expected to have trouble doing so. Relief may be coming in the future as Covington believes that there’s a wave of future security professionals entering college programs that will join the workforce in a few years. However, with the amount of daily due diligence needed to combat today’s security threats, organizations need a strategy to compensate for the talent shortage in the meantime.
Covington cautions against falling into the temptation of buying security tools that require multiple IT staff to manage. His point is that rather than improve security, they can actually compound the talent shortage problem. On the other hand, he does recommend investing in tools that can automate routine processes such as log monitoring. I think he makes an interesting point about what types of security tools to invest in, which I would like to explore further.
While the profile of security within healthcare is rapidly rising, the ability to secure budgetary funding is very competitive with other health system initiatives. This is why a compelling business case is typically needed to get approval to purchase new security applications. One of the strongest rationales for a new security tool is if it brings broader value to your IT organization on top of reducing your vulnerability profile. Security solutions that can increase the overall productivity of your team and free them up to take on other projects are worth a closer look. Automated log monitoring is one example of this, but there are others.
For example, some larger organizations are spending thousands of IT hours annually on manual provisioning and deprovisioning processes. Consolidations in the healthcare industry will continue to occur, and if your organization has gone through a merger or acquisition, you know what an enormous commitment of IT resources that provisioning related processes entail given the quantity of applications in your portfolio. Manual provisioning and deprovisioning processes should also be a red flag for your security team because there’s too many moving targets (i.e. shifting roles, new employees, non-employed clinicians) and too many applications to effectively manage through manual processes.
That’s just one example. Consider manual entitlement attestation processes. Do you think that inefficiencies in those processes could cause your organization some serious challenges in the event of an audit? It definitely can. Consider the investigation of potential threats related to improper access and the remediation of those threats. Do you think your organization would be better off being able to automate as much of those processes as possible to remediate threats faster? The answer is obviously yes. Did you know you could have those benefits while also freeing up chunks of IT and Security resource hours for other projects?
There’s a growing awareness that automating provisioning and identity management processes is a strong investment because it brings high value from both a security and IT efficiency point of view. It also supports broader security governance programs and has synergies with existing investments in single-sign on solutions, which integrate into provisioning and identity management solutions. To learn more about how you can automate provisioning and identity management processes, you can download our whitepaper on the topic here.
 2015 Global Cybersecurity Status Report. ISACA. Published http://www.isaca.org/cyber/Documents/2015-Global-Cybersecurity-Status-Report-Data-Sheet_mkt_Eng_0115.pdf