The IT workforce is a critical element of cybersecurity. New solutions come into the market to help organizations protect their data, but without skilled, experienced workers to implement them, these tools alone aren’t going to get the job done.
During the CDW Managing Risk Summit in Boston last month, the importance of the cybersecurity workforce was a top concern. Several experts highlighted the need for more skilled professionals in the security world, as well as the demand to improve training for current workers.
“We work every day to improve our technology, to improve our risk management capabilities for our customers,” Ed Cabrera, chief cybersecurity officer for Trend Micro, said at the summit. “But if you don’t have the right people — in-house or externally — supporting you, it’s not going to get anywhere.”
Expanding on that point, organizations should also strive to retain the best and brightest of their security workforce, invest in the professional development of those employees and work to create a security culture through cohesion.
The Benefits of a Consistent Security Team
There is a shortage of qualified security professionals and plenty of work to be done. To a large extent, the forces of supply and demand will drive that workforce. In light of these forces, the retention of an organization’s security workforce is of the utmost importance. As Sadik Al-Abdulla, director of security solutions at CDW, alluded to during the summit, there is a certain quantum nature to the identification of threats: The more we look for a threat, the more often we identify it, and in less time. Essentially, we just get better at understanding what we are looking at. Drawing on this idea, the cohesion of a security team can drive down the time between an initial attack and identification of that attack.
Maintaining the institutional knowledge of a security team is essential. An organization can have an excellent security operations center, but institutional knowledge loss, either through employee retention or lack of documentation, can quickly degrade that capability. A tenured security professional with experience working in your environment is more likely to develop an organic understanding of your network baseline activity. A team of security professionals with that contextual knowledge and cohesion is even more likely to have an accurate pulse of an organization and be able to tell the difference between a false and true positive.
During a keynote speech at the summit, cybersecurity journalist Brian Krebs quipped that every organization eventually undergoes penetration testing — the one they pay for or the one they get for “free.” Herein is the return on investment in any security undertaking, whether that be penetration testing, establishing a security framework or a disaster-recovery exercise: You’re more likely to recover from a test with eyes wide open than from an unscheduled threat event.
Just as they receive a strong return on their investment with penetration testing, organizations need to invest in expert security staff. They’re the professionals you rely on to provide thorough and consistent security execution. They know the users, the infrastructure and what’s normal for your organization.
Security Framework: The Foundation of Your Defense
Another critical element of a defensive program is a security framework. A useful framework enables an organization to take a messy situation involving people, processes, tools, business needs and critical assets and put them all into context. For example, the National Institute of Standards and Technology recently updated its Cybersecurity Framework, which has been well received by organizations as a practical orientation for industries of all sizes and types.
Effectively implementing a security framework requires not only executive leadership buy-in, but also input and assistance from all business units, as the definition of critical assets and processes is essential to efficient and effective security control implementation. With a framework in place, organizations can establish a security roadmap, assess the maturity of current security controls and identify the desired state. This becomes a routine process, analyzing the gap between the current posture and the desired state against the backdrop of identified critical assets and processes on which the organization relies.
Investing the time and resources needed to conduct a thorough gap analysis only puts organizations in a better place. Even if it’s too costly or impractical to address an identified threat or vulnerability, the perception of risk is at least improved to reflect a realistic landscape. Even if you’re not going to do anything about a specific risk, at least you’re cognizant of it. That’s better than being completely blindsided.
Complexity is the enemy of security, so as organizations, supply chains and interdependencies become more complex, a framework becomes more valuable. By implementing and continually evolving their frameworks, organizations increase their survivability in a world rife with risk.
This blog post brought to you by: