Cybersecurity Maturity- Maybe your company got hacked. Maybe your competitor got hacked and you’ve come to the stark realization that it can happen to your business, too. Maybe you’re tired of changing your credit card numbers or getting security freezes on your account. Whatever the motivation, you’ve probably asked yourself at some point, “Why is cybersecurity so difficult?” This three-part series is designed to demystify challenges facing IT security teams for executives and explain how they can support a strongerdefense while maximizing investments.
The First Line Of Response
IT security operators are the first responders to a cyberattack. Like firefighters seeking to minimize damage to a home, they have tools specific to the job of stopping the progress of an attack. But firefighting is a skill developed over centuries. Hard lessons learned have been turned into training and procedures used to hone recruits into productive rookies.
Cybersecurity is in its infancy by comparison. There is far less institutional knowledge to be shared with security operations recruits, especially since most companies don’t readily share information with one another. Adding to the challenge is a lack of qualified personnel across the industry at all levels of security operations, which leads to a high rate of staff churn.
This leads to a persistent lack of maturity in many enterprise IT security operations organizations. In a typical organization, there are insufficient skills at the tier 1 level to handle the response to most security events and incidents, resulting in excessive escalations to tier 2 and tier 3 support that are inadequately staffed to handle the volume. The inevitable outcome is that response is delayed or missed entirely, leaving an organization vulnerable to attacks and data loss through excessive exposure time.
Generally speaking, any IT discipline can be broken down into people, process and technology. Maturity can be improved across these domains, but it requires executive buy-in to support the right level of funding with targeted approaches.
Developing Personnel Maturity
From a people perspective, addressing the shortage of qualified staff is the biggest challenge. Some IT organizations have chosen to outsource security operations to a managed security service provider (MSSP) for this reason. The majority of enterprises maintain their own security operations centers (SOCs), though, and there is something to be learned from approaches that the MSSPs take.
Having worked for a service provider for four years earlier in my career, the most effective approach I witnessed was how the staff was rotated and trained. Security operations is a 24/7 task, so a minimum of three shifts per day and two watch crews is necessary to support an entire work week. Rather than have one crew work weekdays while another takes the weekends, each crew worked four days a week, allowing one day to be double-staffed for training.
Shift supervisors were responsible for developing training. Junior staff were incentivized to join in on the knowledge transfer as well. This created a competitive — but positive — feedback loop of continuous improvement. Executive buy-in was needed for the extra cost of double-staffing that one day a week, but it was critical for effective tier 1 support with lower-cost, inexperienced staff so the higher tiers could focus on less common problems and documenting process to protect business reputation and service availability.
Developing Process Maturity
From a process perspective, it’s important to recognize that the task of documenting process is never done. That’s because IT environments are constantly changing — as are the threats and vulnerabilities working against those environments. This amorphous state is a major reason why cybersecurity is so difficult.
To deal with this requires a dedication to documenting, maintaining, training, measuring and improving processes. Often, IT organizations have several heroes who are the only ones capable of solving complex and even simple problems. Their institutional knowledge remains locked in their heads, creating a response bottleneck and real risk if they were unreachable in a security event or to leave the organization.
Often, these heroes get their sense of worth from the respect they receive because of their knowledge and abilities. Few, if any, have the patience to create and maintain process documentation, but this is necessary for the good of the broader organization. To change this requires incentives, often of the financial variety. Executives may be tempted to think that this should be a part of the job, but those with significant security skills in this market can always find another job that requires less paperwork, so retaining them while getting what the organization needs requires a little extra.