Follow me on this, your security team includes non-security people

Share this article:
David Nathans, CISO at large U.S. defense contractor
David Nathans, CISO at large U.S. defense contractor

Over the last few years, security professionals have seen their tool sets grow at an amazing pace.

The modern cyber threat and increasing skills of the adversary have demanded that defensive systems designed to protect our networks be quickly deployed and professionally configured to prevent what seems like an almost inevitable breach. We call for new budget dollars to make capital purchases. And we fight for existing budget to maintain what we already have.

Yet it never seems like enough. But as we add tools to defend our networks, we also need to maintain, manage, and monitor their outputs. 

It is common to hear about the three-legged stool anecdote of “people, process, and technology,” but it is very often that the people part is forgotten, neglected, unfunded or passed over to save on budget. So we are left to believe we should be happy with the approved capital to purchase new tools. 

I am sure this is not the case everywhere, and some organizations employ more than enough people to do a particular job. (By the way, I am available for hire). 

The end result I am depicting here is very common in most organizations.What you are ultimately left with is a security team armed with arguably the right tools, but nobody to truly harness their full potential. Additionally, other than in some of the largest organizations, the security department will typically lack its own project management team and will be forced to take resources away from the daily care and feeding of existing tools that need management, maintenance or monitoring to participate in or perform the proper implementation of a new tool that causes thin teams to become even thinner.

All too often this scenario occurs because security walls themselves off for various reasons, such as trying to be protected from budget cuts or arguments around who owns the security function and where should security report to inside an organization.

To security professionals, none of this really matters at the end of the day as long as they can protect the company for which they work. So to do that, the security professional needs to expand their organization, break down the walls and build a fully qualified and functioning team that goes beyond the security perimeter.

Annex your resources from the entire organization. This goes beyond security awareness training, make people an extension of your team. When developing policies or new security programs, engage your business by bringing people together from many different areas of your company. Train them on how to help you and how to be a part of the solution but listen to them and learn about them as well.

It is not always about bits and bytes and the latest zero-day. It's about how we interact with people and technology. Allow IT teams to get involved in your security processes and tools, let them help guide you and let them use the tools you have.

For example, don't just provide security metrics, but also give people access to your metrics tools. You have to weave the security fabric into all of IT. It's no longer about intrusion detection or prevention. It's about network architecture, patching, DNS, proxies, among many other things.

But most importantly it's about people. Get out into your organization's community and see how security can positively affect them and learn what you can do to help enable the business. Then, these people will help enable you.

As security professionals, we need to constantly think about how we can expand beyond our immediate resources and educate everyone around us on what they can do to be a part of the security team.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.