Network Security Challenges in the Enterprise

ESG recently published a new research report titled, Network Security Trends in the Era of Cloud and Mobile Computing (note: I am an ESG employee). In this project, ESG surveyed 397 IT security professionals working at enterprise organizations (i.e. more than 1,000 employees) and asked a multitude of questions about their current and future network security policies, practices, and technologies.

Here is a list of the top 5 network security challenges at enterprise organizations:

• 39% of organizations say that, “IT initiatives are being adopted without the proper network security oversight or controls in place.” Sound familiar? I’ve had lots of CISOs tell me about this very problem, especially around mobile computing. Sounds like an opportunity for Bradford Networks, Cisco, and ForeScout. The Trusted Computing Group (TCG) may also have a play here.
• 31% of organizations say that, “network security policies and controls are not cohesive as they must be implemented across many different security and networking technologies.” In other words, network security is addressed with network devices when it should be applied to network flows. This leads to network complexity and many, many associated challenges.
• 28% of organizations say they are challenged by, “too many overlapping controls and processes tend to cause trouble.” When the networking and security teams are subnetting, VLANing, firewalling, and applying ACLs to network devices, there’s bound to be a lot of redundancy and wasted resources. I get the need for layered defenses, but there must be a better way to isolate network traffic. SDN? NFV? Cisco ACI? VMware NSX? Something is needed.
• 27% of organizations say that the, “security staff is too busy responding to alerts/events and not enough time with training, planning, or network security strategy.” This points to the global cybersecurity skills shortage that I’ve been screaming about for years (in other ESG research, 25% of organizations said that they have a “problematic shortage” of IT security skills). With too much work and too little staff, CISOs need network security technologies that can help them work smarter, not harder.
• 26% of organizations are challenged by, “security policies that are too complex and can’t be enforced with the current network security processes and controls.” Everyone talks about “contextual security” where network access is governed by user identity, device identity, location, time-of-day, etc. The problem is that this requires central management, common data, data exchange, and technology integration. Alas, these things haven’t happened yet in many enterprises.
• Summarizing this list presents a scary scenario. While business units are doing their own IT projects, the security team is hampered by mismatched policies, tactical technologies, and an overburdened staff. Not a very good recipe for success.