Every month, cyber attacks seem to whiplash back to center stage. There are dozens of headlines at any given moment that should be catalysts for cybersecurity change. But things do not change and, in fact, they may be getting worse. Let's look at the top three negative forces making security harder going into 2017.
The Talent Deficit
Whether you think there aren't enough people to fill the open information-security jobs, or you don't think there are enough already qualified candidates, we're in the midst of cyber battles and today's ranks of capable soldiers are thin.
We need more talent, more hungry professionals who want “to fight the bad guys.” And it's not that this is AN issue, but it is THE issue. Security is still a human problem and will be for the foreseeable future. Without enough security teammates, what chance do we have?
Most teams are not lacking for technology. Intrusion detection, anti-virus, SIEM, detonation, proxies...you get the point. What's discouraging, though, is the amount of time and money spent on obtaining a new product or platform, and then seeing that new purchase either sit on the shelf or get deployed and decay over time. From the time products are purchased, they seem to diminish in value.
While there are instances where teams are truly leveraging technology to improve their defenses, the vast majority of teams are getting nowhere near the value from their tech stack they believed they would during demos. Why is this the case?
The first reason is awareness. In my discussions, security teams don't seem to recognize the deploy-and-decay problem until it is really a big problem. It's like ignoring your health until you're in dire pain, or ignoring your teeth until your tooth falls out and then saying maybe you should brush.
The talent deficit contributes to this because there aren't enough available human hours to go back and provide that care and feeding to the tech stack. And technologies themselves are not “self-healing” or “auto-tuning” to a level that would rid this task of the human cyber defenders.
Lack of Cyber Self-Esteem
Why is there a lack of cyber self-esteem? Environments are complex; culture is often more about clicking links than reporting them; CISOs have to fight for budget; and security controls get bypassed as soon as they have the perception of slowing down productivity. And, as was just mentioned, there aren't enough people and the security stack has cavities. Sounds fun, doesn't it?
It's depressing when I see teams that don't have confidence in leadership, or leadership that doesn't have confidence in the team. While I sincerely empathize, it's frustrating because I know these teams and these individuals are capable of so much more.
Is there Cyber Hope?
Teams are doing a lot of great things. Automation is empowering teams to be more effective. Creative-types and engineers are moving parts of the industry forward. There's a lot to celebrate. So what should you focus on?
1. Train and retain
3. Optimize your use of tools (and tune them)
4. Celebrate quick or easy wins and iterate
You must make sure your team is capable and then make sure they stay. Plain and simple. I've said it before, but make items like threat hunting, or tech tuning perks, and find other ways to make it fun. Teach your team python and let them learn other new skills. Security has so much room for creativity and innovation -- let your team capture that.
Beyond your existing team, you need a pipeline of candidates. We're in the unfortunate state where security programs should be continually recruiting, continually trying to build their talent pipeline. It's hard to enough to find and hire someone, and you will most likely not ever have more rockstars than positions. So get out there and recruit.
In line with making sure your team is happy and trying to fill the ranks, part of making them happy will be optimizing their use of tech. Focus on fewer tools and really make sure closer to 100% of the potential value is being realized. Dive deep in the rule creation or the API usage. Leverage data sets in different ways. You'll find you don't need as many tools if you do it right.
Finally, you need to celebrate, both internally to the security team and throughout your company when there's a win. Celebrate that employee who reported a phishing attack. Let your team blog or disclose some neat piece of ransomware they found and dissected. Through sharing and other means your team can build up their own brands and make friends in the process. But the best part will be the celebration of these different accomplishments, like reducing mean-time-to-detect or mean-time-to-respond. Security can be really fun and you should aim for that.
If you start taking some of these steps, even an inch at a time, you have a chance at moving your program forward. You may have to fight for that inch, but you it moves you forward nonetheless. We cannot give up, we cannot let our technology only operate at 10 percent of its possible value, and we cannot let our teams think they have no chance. Our cyber resiliency will only exist if we start reducing these counter-productive forces on security. Let's make 2017 a better year than 2016, and we can start by overcoming these security hurdles.