Fast, good, and cheap. Or: Time, resources and budget.
The Project Management Triangle. The Iron Triangle. The Triple Constraint. There are many names for the program management challenge of balancing three constraints, but it all comes down to this: you can’t have all three.
- You can do something fast and high quality, but it won’t be cheap
- You can do something good and cheap, but it won’t be fast
- You can do something cheap and fast, but it won’t be high quality
Chief Information Security Officers (CISOs) are in a constant struggle to balance multiple constraints in their efforts to create and implement effective cybersecurity programs. How do we move faster than attackers? How do we use our budget better to simplify our security? How do we enable our people perform effectively and improve our security outcomes?
For CISOs, it can sometimes seem like they are waging a losing battle against attackers who are moving faster than ever and data breaches and exfiltration that happen within minutes. Security teams are inundated with security alerts – and, according to the recent Cisco Annual Cybersecurity Report (ACR), over 40% of those alerts are never investigated. Security products are getting better at finding anomalies and reporting on suspicious behavior, but organizations cannot move fast enough to keep up with the information coming in.
In spite of increasing threats, security budgets remain stable, with 51% of survey respondents citing spending is based on the previous years’ budget. The top factor for increasing budget spend on security was a previous breach, with 47% responding that security breaches drive increased investment in security technologies and solutions. It seems that organizations are waiting on the inevitable. CISOs and security managers must find unique ways to utilize their current budget for new technologies and services, without adding complexity to their already over-burdened staff.
A majority of respondents cite budget restraints as the greatest obstacle they encounter in managing security. However, over the last three years, we have seen that number decline around 5%, while lack of trained personnel has grown 5% as the top cited obstacle.
The talent shortage will grow to 3.5million by 2021, according to a June 2017 CSO online article. We may see that the pressure on “good” starts to outweigh the pressure on “cheap” in the next few years. Even with flat budgets, we’re seeing companies start to invest in their people and processes to help them maintain a secure environment.
With all of these obstacles, we also find a growing trend in how organizations manage their security resources. According to the Cisco Annual Cybersecurity Report, outsourcing monitoring services grew from 42% in 2014 to 49% in 2017; security consulting services increased from 51% to 54%; and Incident Response services from 45% to 47%. IT and security leaders are realizing they cannot hire enough “eyes on glass” to meet today’s demanding security environment, and are turning to outside sources to find best practices for their security programs and processes, and to help to identify efficiencies in their complex systems.
Security has always been a collective community, and a “go it alone” approach is practically impossible in today’s environment. At Cisco, we recognize the challenges you face as you seek to balance security and risk against the triple constraints of time, resources and budget. Our experienced Security Services professionals are available to help you:
Arm yourself with more information about the current security environment in the Cisco 2018 Annual Cybersecurity Report, and consider engaging with our Security Services experts.
Whatever the program or project constraints are for you and your security environment, we can help you achieve the right balance so that you can successfully achieve your desired outcomes. Our experts ensure you have the technology and expertise you need to secure your environment and help you get the most from your cybersecurity program and technology investments.