Is Your Security Team Staffed With “A” Players?
I really hate going to the dentist. It’s the worst. I have to schedule time out of my week, sit endlessly in the waiting room (in reality it’s five minutes, but it feels like forever), and then the real pain begins when I start getting poked and prodded. Overall, it’s awful, and for that reason it’s tempting to ignore. However, if I don’t go for my basic checkup, everything gets worse over time until eventually I need surgery to repair the damage. Should I need oral surgery, you bet I want the best doctor in town. I’ll shop around, read reviews, etc. This is the opposite of my dentist, where the main goals are “cheap” and “close to home.” The path of least resistance will do.
Does this sound like the way your security team was assembled? Is it built with the best options or the most convenient? Is it staffed with people for whom security is an additional duty? Is security at the forefront of your organization or is it relegated to a back room until it’s needed?
Just Good Enough
Many organizations treat security like the dentist. They put it off and, when they do address it, it’s as an afterthought. The security checklist often gets handed to someone with some free time. Maybe a network engineer or system administrator is dubbed the new “security guy.” He or she scrambles to meet the checklist’s requirements for the day with no real authority or alignment with the business. They’re also probably going to take the fall when an incident occurs even though they were thrust into the job without the right level of expertise.
In my opinion, the security team should be treated with the same care as the surgeon. Think about what’s potentially at stake. What is the financial impact if your systems are taken down for weeks due to a denial of service attack? What if all of your B2B partners are no longer willing to do business with you or if customers lose confidence in you? In cases of a large-scale breach, you can anticipate lawsuits, recovery costs, and an army of auditors at your door.
What if personal safety is at risk, as is the case for manufacturers and health care providers? The WannaCry attack forced 16 medical facilities in the UK to turn away ER patients. That’s a pretty far reaching impact. In any of these situations, you don’t want the team that was “just good enough” when you brought them on. You need the best.
Finding Your A-Team
Finding quality security personnel is hard. The skill set is so broad. During an attack, the security team needs to understand networks, servers, desktops, applications, logs, security tools, personnel, and business operations. It’s not all technical either. When preparing for regulatory audits or vendor due diligence requests, the team needs to know where the critical assets are held, who can access them, how the controls are implemented, and the governance that directs how it all comes together. Then there’s business level need. They need to understand how to recover from a disaster, the business continuity plan, and the ramifications from implementing certain controls. They also need the soft skills to budget correctly, report to senior level leadership, and provide other IT teams with the flexibility to adjust technical needs without compromising security. There is no “one size fits all approach” and the cost can be very high.
Don’t forget the partners you’re leveraging either. Are you buying hardware and software tools via the “whack a mole” approach where hopefully you’re buying the right tools? Does your provider have expertise in security, or are they just selling you whatever products their manufacturers are peddling that week? When it comes to security providers, it’s important that you choose a true partner and not just another vendor. They need to be invested in learning how you operate and not just selling you the next top right solution in the Gartner quadrant.
It’s Worth It In The End
The cost and effort required to get the right team in place can be painstaking. If you do it right though, you’ll gain more than just the ability to pass an audit. These people, regardless of whether they are internally or externally staffed, can provide insight into what’s really happening and can streamline operations. A finely tuned, highly controlled information system can limit changes, prevent unnecessary support costs, and reduce the likelihood of a compromise. Ultimately, that’s far less expensive than what could occur from a massive attack.
Going to the dentist is never fun, but it’s far better then the worst case scenarios conjured up by the alternative. If the worst does happen and everything is on the line, I want a board certified, proven expert who has been there before on my side. The administrator who was handed an assignment because they’ve been with the company for a while isn’t the person I want operating on me. Is that who is protecting your company?
To start a conversation today around securing your business, contact Arraya’s Cyber Security Practice at: https://www.arrayasolutions.com/contact-us/.