As part of our “Security Takes a Village” theme, we’re examining the roles of stakeholders other than a dedicated security team in securing your business. In this post, Perry Kuhnen offers a view of what IT’s role should be in securing your business. He presents a hard delineation of the responsibilities of maintenance and recovery vs detection and response, which for the SME is attainable if they are prepared to outsource, or to invest in staffing and equipping their own SOC (a complicated, costly, and lengthy undertaking that we have discussed in the past).
This topic is tough to address generally, because no two IT teams are the same, nor are any two businesses’ objectives. So, at the end of the day, it’s easy to attribute this to “just my opinion.” That said, before my time at ActZero, I was in an IT leadership role for nearly 25 years, so I do feel comfortable presenting that opinion, with the context of executives’ expectations, and the necessity of wearing many hats at a small to medium-sized enterprise, in mind. In this post, I will discuss what the role of IT should be in securing your business. You will see a gap in the responsibilities I list; alone, they will not completely secure your organization. That gap should be filled by a(t least one) dedicated security person (paired with the long, complex, and expensive path of building your own SOC) or, alternatively, by outsourcing to a third party like ActZero. My goal is to make a case that IT folks can take to management, explaining exactly what they should be responsible for, where the gap is beyond that, and how to fill it.
Our role should be to own and communicate the Response Plan
Given your intimate knowledge of the architecture of your environment and the existing tools you have in place, one role we in IT should play is formulating a plan for when you get breached. With the traditional focus upon prevention technology (anti-virus, firewall, etc.) you have some protection. But, without a dedicated body for Incident Response (or, really, any cybersecurity personnel whatsoever at an SME) there needs to be a plan for what happens if those prevention technologies are bypassed. Having a plan and communicating what is within your capabilities (given those resources, and what you can outsource) is your role. Part of that is knowing when to leverage external resources – when it will be more expensive for you to deliver the same (or worse) results in-house.
Our role should be to ensure good Hygiene
Hygiene. If we extend the analogy of securing a home, your job as a resident isn’t to go chasing after those breaking in – but locking the doors and windows, and ensuring they’re in good working order, should fall to you.
So, while the IT department of the small to medium-sized enterprise may not have the resources necessary to acquire/manage the security technology required to secure the organization, something you do have the resources, expertise, and perhaps even tools to accomplish is patch management, vulnerability management, and other hygiene considerations. By remediating vulnerabilities that are known about, you greatly harden your systems against breaches. That’s part of the reason that our MDR service includes regular vulnerability scanning, which we report the results of during our monthly meeting. We also make it easier for you, by prioritizing which updates, on which machines, can most greatly impact your hygiene score. Even without the “leg up” from ActZero, maintaining good hygiene is something that you can accomplish, with limited resources, that helps secure your organization.
Our role should be to prepare for Disaster Recovery
Let’s imagine a world where IT doesn’t worry about threats, and IR, and building a SOC. Maybe because such considerations are entirely managed by a third party (like ActZero). In that case, your new “cybersecurity concerns” would be about ensuring you can recover quickly and with minimal consequences in the event of an incident where somebody did get through. Remember the three pillars of cybersecurity, CIA: confidentiality, integrity, and availability. This dictates that recovery (and, by extension, backup) is a part of your security plan – think layers of security, redundancy by design. This focus is also way more in line with your expertise as an IT generalist than with trying to “become a security analyst” to meet your organization’s needs.
Recovery means having a rigorous backup plan that you stick to, architected with dedicated and isolated network mappings, and offline backups, and cloud backups. It means being prepared when the power is interrupted, and that downtime is minimized by your restorative efforts. It means that when you lose a hard drive (due as much to a hardware failure as to encryption by ransomware) that your data isn’t lost with it. Ultimately you are trying to avoid a scenario where the outcome is catastrophic, and the reason is attributed to negligence of the IT team (rather than to the malicious actions of the hackers).
You can’t be an expert in everything. And if you work on a small team, chances are you’re already a high-value generalist – think about the different technology categories you work with that would have their own team at a large enterprise. Cybersecurity should not be one of those disciplines that you “pick up on the fly” – and yet there’s a shortage of qualified cybersecurity people available in the market. The only way to address this in the SME is through outsourcing – we make the business case for you here. That withstanding, there are still these critical roles that IT plays in securing the organization – even when we imagine a separate, dedicated, qualified, and proactive cybersecurity team working alongside us. To reiterate, those are dictating the response plan for when there is an incident, and ensuring it is communicated; maintaining great hygiene by patching, updating, and checking regularly to know what the impact is of doing so or not; and making disaster recovery look easy, for those times when a breach (or another disaster) happens. If you’re managing these three things effectively, you’ll have significantly reduced the likelihood of an incident happening, and of the damage should one happen – anything beyond that should be done by a dedicated cybersecurity team, like ours.