The Complexity Gap

By: Josh Mayfield | 6/10/2019

It’s no secret – the demand for trained, experienced cybersecurity professionals far exceeds supply. Enterprise Strategy Group (ESG) has been one of several organizations tracking the cybersecurity skills shortage and they have been sounding an alarm for many years. While a few tactical programs have attempted to address this shortfall, most view them more as lip service rather than a real solution.

Alarmingly, the situation appears to be getting much worse — as positions get filled with inadequately trained personnel or don’t get filled at all and the IT environment gets more complex, we increasingly experience a ‘complexity gap.’

Rise of Security Controls

As manpower dwindles, the threat landscape is rapidly expanding. IT environments today have an overwhelming number of distributed devices and a worldwide mobile workforce. Device resilience now requires exponentially more effort. Why? Because every control, app, and agent depends upon the same hardware and software resources on a device. They are in a zero-sum competition: some controls feast while others starve.

Read: 2019 Endpoint Security Trends Report

Consider how labor-intensive it is to see, control, respond to, and secure endpoints. The metrics involve IT and IT security staff, users, devices, and the growing number of controls within those devices. Each of these considerations come together in what can be called, “Device Hygiene Care.” Namely: what must be accounted for to keep devices secure and operating effectively? As the graph illustrates, ensuring that endpoints have sufficient hygiene has become increasingly difficult as device distribution grows and the skills shortage worsens.

In 2000, the value for Device Hygiene Care (C) was 2. IT resources were 2x higher than the level of effort required for device hygiene. In short, IT and IT security teams once had bandwidth: there weren’t too many controls, devices, or data distributed among worldwide users. Today, bandwidth is a thing of the past for nearly all IT and IT security groups. Personnel resources would have to be multiplied 12x (C-12) to have adequate coverage to achieve device resilience.

Widening Divide of Tools and People

Dealing with rising IT complexity risk is no easy task. Add to that the growing divide between IT complexity management and the personnel resources to support it and you get what I call the “Complexity Gap.” The graph below shows how the rise of more controls and devices is dramatically outpacing the staff needed to manage them all.


Where does this lead? According to ESG, 63% of IT professionals admit that the staff/skills shortage in their organization has had negative impact to security operations. Additionally, 40% stated that their cybersecurity team is too small and cannot keep up with the work demanded by the business, “the biggest contributor to security incidents.”

Growing Insecurity

The skills shortage and the complexity gap feed on each other and this leads to negative outcomes like data breaches, data integrity and compliance failures, criminal prosecution, limited value from existing tools, and delays to respond to the business’s needs.

When no one is minding the control switches, breaches happen.

For more information on the complexity gap, watch the video below. While you’re at it, subscribe to our full Cybersecurity Insights video series on YouTube.


Video Transcript

Hello! Josh here from Absolute. Today’s IT environments are brimming with complexity, let’s see what we can do about it.

Today, IT complexity is just part of the game.

This tangled web has turned endpoint resilience into a riddle. But how did that happen?

No more than 10 years ago – securing devices was straightforward; there were fewer agents, all sharing a device home without too much drama. Those days are long gone...

Now, device resilience requires 12 times the effort. Why? Because every control, app, and agent depends on hardware and software resources. They are in a zero-sum competition: some feast while others starve.

This agent friction leads to some startling results:

  • At any given time, 28% of antivirus/antimalware agents fail.
  • 42% of encryption agents go to an early grave.
  • an era where patching is already a struggle, 1-in-5 patching agents break every month.

Oh, and when patching agents — like Tanium, SCCM, AirWatch, Ivanti — do fail, they are repeat offenders, with more than 5 failures every month.

The maniacal pursuit to stuff endpoints with controls, apps, and agents creates new breeds of risk. Spending more on security tools does not make us safer; it increases exposure.

So, IT complexity expands attack surface. Risks are hidden. And the garrison meant to keep us safe are tumbling into one another and shattering at every moment.

Unless we PERSIST them, apps, and agents die. With failures as predictable as a clock.

Risk is not a's a feature of IT complexity.

To be RESILIENT, we must first admit much of the trouble is self-inflicted. Endpoints have become a knife fight in a phone booth filled with agents duking it out for survival. When they collide the friction causes failure, so, we must regenerate them, bring them back to life. This is persistence.

And when the time comes to demonstrate, prove, and validate our security posture, we can be audit-ready, and close the complexity gap, with ceaseless visibility and control.

Remember to like, subscribe, and share (oh, and comments below are always a good way to keep the conversation going).

I’ll see you next time!


Financial Services