Who is responsible for secure remote access management?

The COVID-19 pandemic put a spotlight on enterprise technology professionals, especially security professionals, and the resiliency of cybersecurity processes, tools and technologies. For the most part, they passed with flying colors. However, many companies have yet to scrutinize how cybersecurity teams are organized and how they should be organized. Specifically, which group is responsible for managing secure remote access? And, if it's possible to determine, which group should be managing secure remote access?

Nemertes asked these questions -- in a slightly different form -- in our "Beyond SASE" cybersecurity research study released in May. We included 157 participants from the U.S. and Canada and drilled into a host of operational and technology areas, focused specifically around Secure Access Service Edge (SASE) and its adjacent technologies, including software-defined perimeter (SDP).

We asked, among other things, who selects, implements and operates these technology areas. We also defined a success metric we call SIPI, or serious incident per incident, as the percentage of security incidents that are serious, where serious is defined as having an impact on employees, customers or business operations or requiring alerting external parties, e.g., law enforcement. Those with the lowest SIPIs -- the fewest serious incidents per security incident -- are considered the most successful.

We selected the 21% of companies with SIPIs of 2% or less as the "success group." Then, we looked at what the successful companies -- again, by the SIPI metric -- are doing that differs from what less successful companies are doing.

Secure remote access is a capability rather than a technology, so we didn't examine it directly. Instead, we looked at the technologies that enable secure remote access. In the technologies we studied, SASE and SDP are most typically used to enable secure remote access.

Cybersecurity teams lead the way

The results are intriguing. With both SASE and SDP, for participants overall, cybersecurity teams are the most common teams cited by participants to select, build and manage these technologies. Note that we asked participants to select all teams that were involved in each function. The majority of participants reported a mix of teams -- rather than a single team -- so the percentages don't necessarily add up to 100%. See Figures 1 and 2.

However, when we compared the success group to all others, we found significant differences between successful companies and those not in the success group.

Specifically, for SDP, within the success group, the team most commonly cited by participants as involved in managing SDP was the cloud team; the cloud team was 25% more likely to be selected by successful organizations. For all others -- those not in the success group -- the endpoint management team was most common.