When I was in the government we used to say cybersecurity is a team sport. Different government agencies have different specialized capabilities. During national cyber incidents, we often needed a broad range of expertise to quickly respond and remediate the intrusion, given the stakes and the high level of adversary sophistication. With criminal attackers now leveraging a variety of sophisticated techniques and third-party vectors to extort companies and disclose their private information, the need for a broad range of expert skill sets to prevent and respond to incidents has never been more critical for businesses.
IT leaders need to be thinking about how to engage top-tier expertise across the full spectrum of prevention and response activities to stay ahead of modern threats. Knowledge gaps are just as critical to close as tech gaps to prevent criminal exploitation of corporate networks.
There are three interdependent trends driving security knowledge gaps:
1) IT environments have grown increasingly complex, especially with more remote workforces;
2) security tooling has grown increasingly specialized; and,
3) the high volume of data generated by these more complex environments and security tooling requires more sophisticated data analysis to produce security value. IT leaders should appreciate how these trends impact their security posture and resource planning.
By far, the biggest tectonic shift in the security landscape occurred during the rapid transition to remote work at the outset of the pandemic. Whatever program plans IT leaders had prior to March 2020, were obsolete by the end of that month when their company operating models became decentralized by necessity. Some of our clients had to migrate to cloud apps literally overnight. IT teams had to pick up knowledge of SaaS and IaaS-native controls on the fly. For the uninitiated, replicating on-premise controls in the cloud is daunting. There are no easy solutions. It takes knowledgeable people, considered processes and the right mix of tech.
Many IT leaders took the kitchen sink approach, throwing lots of new security tooling at the problem. In some cases, new tools can enhance visibility and control; however, if misconfigured or poorly managed, security tools are more like barnacles that simply accumulate while making it harder for a ship and her crew to navigate perilous seas. We see this often, unfortunately. Security vendors are persuasive when they demonstrate the efficacy of AI-based tools, like ‘next-gen AV’, EDRs, firewalls and SIEMs. What those demonstrations usually fail to convey is the hidden cost of managing the tools to achieve and maintain that level of efficacy in a real-world IT environment. After the install is complete, who will keep the policies up to date and the models tuned to prevent noisy false positives from overwhelming teams? Security tools are not fire-and-forget weapons. They require knowledgeable operators to deliver on their promised value.
It’s intuitive that a more complex IT environment (read: larger attack surface) and more security tools to maintain visibility across that larger surface, will produce more information for security operations personnel to manage, understand and act on. This compounding data problem is the hardest one to solve when you’re a lean organization, especially if you’re a small or medium business with resource constraints. It’s simply not practical for a small IT team to have dedicated data engineering and data science expertise, and yet, increasingly, expert data management and analysis specialization is table-stakes for finding and stopping modern threats across hybrid IT environments.
We meet with IT leaders every day and every single one of them grapples with some variation of these knowledge gaps.
Now, as a vendor, you know my bias, but objectively it is infeasible for a small IT organization to build an internal capacity that alone can close these gaps. The diversity of infrastructure, tools and data requires a team with diverse functional expertise. The most feasible model for accessing diverse specialist expertise is a shared responsibility partnership.
We think a great analogy for this type of security partnership is the serious climber who hires an expert guide service to help them summit a mountain. The climber must be prepared with the foundational knowledge and wherewithal, and the guide will complement their knowledge with more technical climbing expertise, as well as specific knowledge of the mountain and its risks. They must collaborate as a team to successfully summit. So too for cybersecurity today.
Our team of security engineers, data scientists, threat investigators and technical account managers (who we refer to as ‘guides’) work in partnership with our clients to achieve their desired outcomes. As much as we pride ourselves in delivering a very low-touch, highly-automated service, we still need our clients to take responsibility for aspects of their security over which we have no control. Often, this means patching vulnerabilities we identify quickly, executing response actions we suggest or gathering evidence to address specific compliance controls when that’s a desired program outcome. Our best customer outcomes are the ones we enable in partnership with IT teams. We pride ourselves on being exceptionally prepared guides.
If you’re grappling with a security knowledge gap today, we’d be happy to share the best practices we’ve observed to help you consider how to close them. Ultimately, the hardest problems require great people to solve them. But, your organization doesn’t need to go it alone. Cybersecurity is a team sport.
To see how we've engineered our own SOC to support such a collaborative approach, check out our white paper, The 'Hyperscale SOC' and the Minds Behind It.