A version of this article originally appeared in Forbes on February 12, 2020.
Consumerization: The specific impact that consumer-originated technologies can have on enterprises.Gartner
More and more, enterprises are coming to understand that they need to adopt the agile processes and product strategies of startups in order to compete in today’s markets. But there is a parallel problem in enterprise security that is not being addressed. Simply tweaking your internal processes won’t solve this problem: A different approach is needed.
We read the stories every day. The number and severity of cyberattacks keep growing. More and more businesses are being breached more and more often—and it's happening in schools, hospitals and clinics, and major cities, too.
For example, in December 2019, the city of New Orleans told employees to "power down computers, unplug devices, and disconnect from Wi-Fi" after a cyberattack struck its computers. Although 911 emergency services were not affected, the police department had to shut down its entire IT network.
Increasingly, we see governments, organizations, and enterprises struggling to keep up with cyberattacks. And, disturbingly, they are increasingly failing to stop them.
The fact is, agile processes and improved efficiency won’t solve the growing security problem. Nor will throwing more personnel at it. That’s what organizations are attempting now, and it's not working. Businesses are falling behind the attackers. Something has to change.
What is needed is a new way of thinking about security.
When you get millions of alerts, and you respond by looking for more trained technicians to troubleshoot the alerts, you’re pursuing a faulty strategy. For one, you won’t find the talent. For another, the strategy doesn’t scale. As you add security tools and staff, you multiply the complexity of your security operation. What you need is to reduce the complexity.
It’s helpful to step back and ask, "What would a desirable, effective security solution look like?" I suggest that it should be as intuitive as using an iPhone app.
"Hold on," you say. "The IT market is not like the consumer market. There are different problems to solve, unique expectations to meet, and technical skillsets required to operate.” And that’s all true. But that’s just a description of the challenges inherent with the old model of security thinking.
Consider the security and privacy challenges in the consumer space. Consumer products have to be easy to use, or they won’t sell—particularly for a problem that is mostly invisible to the consumer (until it bites them). Security tools need to be easy enough for consumers to use, yet powerful enough to give them ownership of their privacy and security. That’s hard to achieve, but consumer software development is all about empowering users without overwhelming them with complexity.
And that has to be the goal in the enterprise as well. It should be just as easy for a company to protect itself and have a strong cybersecurity posture as it is for a consumer to use an app. Organizations should strive for top protection across workstations, servers, and devices using fewer staff members that require specialized training. That should be the target of enterprise security solutions.
We call this goal the democratization, or consumerization, of cybersecurity. It's the right goal in today's market. It’s also quite difficult. To write robust cybersecurity products that provide organizations with comprehensive coverage and are as simple to use as consumer technology is so difficult that no one has been up to the task.
It’s easy to generate a new security tool that handles lots and lots of alerts. But making it prioritize threats so that you only address real dangers while simplifying user interface so that it doesn’t require extensive training—that's the hard part. And that's what we’re talking about when we refer to the consumerization of IT security.
It reminds me of the famous saying by French mathematician Blaise Pascal, which is often attributed to Mark Twain: "I would have written a shorter letter, but I did not have the time." Simple is hard.
But it can be done. We know what consumer-grade tools look like. And we know what cybersecurity challenges businesses face. The task before us as an industry is to fit these two puzzle pieces together. It will require greater attention to user interface design and highly-automated threat detection. It will call for combining technical excellence with human intuition. But it can be done.
The consumerization of IT security—consumer-grade ease of use, plus enterprise security expertise—can meet the cybersecurity challenges of today.