Follow me on this, your security team includes non-security people
David Nathans, CISO at large U.S. defense contractor
Over the last few years, security professionals have seen their tool sets grow at an amazing pace.
The modern cyber threat and increasing skills of the adversary have demanded that defensive systems designed to protect our networks be quickly deployed and professionally configured to prevent what seems like an almost inevitable breach. We call for new budget dollars to make capital purchases. And we fight for existing budget to maintain what we already have.
Yet it never seems like enough. But as we add tools to defend our networks, we also need to maintain, manage, and monitor their outputs.
It is common to hear about the three-legged stool anecdote of “people, process, and technology,” but it is very often that the people part is forgotten, neglected, unfunded or passed over to save on budget. So we are left to believe we should be happy with the approved capital to purchase new tools.
I am sure this is not the case everywhere, and some organizations employ more than enough people to do a particular job. (By the way, I am available for hire).
The end result I am depicting here is very common in most organizations.What you are ultimately left with is a security team armed with arguably the right tools, but nobody to truly harness their full potential. Additionally, other than in some of the largest organizations, the security department will typically lack its own project management team and will be forced to take resources away from the daily care and feeding of existing tools that need management, maintenance or monitoring to participate in or perform the proper implementation of a new tool that causes thin teams to become even thinner.
All too often this scenario occurs because security walls themselves off for various reasons, such as trying to be protected from budget cuts or arguments around who owns the security function and where should security report to inside an organization.
To security professionals, none of this really matters at the end of the day as long as they can protect the company for which they work. So to do that, the security professional needs to expand their organization, break down the walls and build a fully qualified and functioning team that goes beyond the security perimeter.
Annex your resources from the entire organization. This goes beyond security awareness training, make people an extension of your team. When developing policies or new security programs, engage your business by bringing people together from many different areas of your company. Train them on how to help you and how to be a part of the solution but listen to them and learn about them as well.
It is not always about bits and bytes and the latest zero-day. It's about how we interact with people and technology. Allow IT teams to get involved in your security processes and tools, let them help guide you and let them use the tools you have.
For example, don't just provide security metrics, but also give people access to your metrics tools. You have to weave the security fabric into all of IT. It's no longer about intrusion detection or prevention. It's about network architecture, patching, DNS, proxies, among many other things.
But most importantly it's about people. Get out into your organization's community and see how security can positively affect them and learn what you can do to help enable the business. Then, these people will help enable you.
As security professionals, we need to constantly think about how we can expand beyond our immediate resources and educate everyone around us on what they can do to be a part of the security team.