Besides stolen data and money, perhaps the biggest impact of massive attacks like SolarWinds, Colonial Pipeline, and the current Log4j vulnerability is that people are starting to realize that cyberattacks and cyberdamage are inevitable. But if failures have always been as certain as death and taxes, we can reduce the frequency and success of disruptive events and control the extent to which they cause a negative impact.
Despite what most vendors and experts will tell you, the answer is not simply “buy more tools”. While technology and tools play a valuable role in protecting an organization, we don’t talk enough about the non-tech tactics organizations can adopt to improve their security posture. Based on my experience as a CISO and former incident responder, I want to offer advice on practices that I think IT and security teams should consider in order to regain control and adopt a more proactive in cybersecurity.
Good practices to consider
1. Building a Diverse Team
The security industry is largely homogenized. For example, women make up only 20% of the information security workforce. Women and minority groups are vastly underrepresented on the pitch, and this needs to change not only to help reduce the skills shortage, but also to create better performing teams. You don’t want a group of people with similar backgrounds who think alike. By engaging a more diverse group of people, you’ll get more perspectives — people who will challenge your assumptions and introduce new ways of thinking. In an ever-changing field like cybersecurity, this is exactly what you need.
This work begins in the hiring process. Aim to foster a diverse talent pool by gender, age, experience, education, geography, race and orientation. And if you’re still clinging to the fear that prioritizing diversity might cause you to “miss out” on more qualified candidates, it’s time to let go. There are many incredibly qualified diverse candidates; you just need to put in the effort to find them.
Finally, consider whether you need to hire security professionals (those with existing experience or those with relevant credentials), or whether you can hire adaptable critical thinkers and provide the necessary “cyber” training. Widening your opening for what is considered a “qualified” candidate, especially for more junior roles, will produce a much more diverse workforce.
2. Don’t be afraid to outsource
The cybersecurity skills gap has been discussed for years, but unfortunately it is only getting worse. Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs by the end of 2021. beneficial in our profession! – and you want to keep as much work in-house as possible. But my advice, especially to smaller organizations, is to seriously consider hiring a managed service provider to help bolster your team. Organizations can’t afford to be short-staffed in IT and security roles, and MSPs provide a great addition to your existing team. The key is to make sure you perform excellent vetting, get peer references, make sure your MSP has a proven security practice, and maintain enough competent in-house talent to oversee your outsourced services.
3. Train like you fight
Tooling is important, but nothing is more important than your people in the field. From my experience as a security engineer and investigator early in my career and now as a leader, you have to train like you fight and fight like you train. The most critical skills you need to train for are incident response and crisis management. Red Team/Blue Team, Capture the Flag (CTF), and Tabletop Drills are great simulations to help you do this. In addition to testing the strength of your organization’s security capabilities, these drills can tell you a lot about your team. Who’s good under pressure? Who stands out as the leader? How does your team adapt and communicate in the face of obstacles? Perhaps most important, where do you have gaps in your existing plans? From there, you can organize your team to be better prepared if and when a real attack takes place.
Assumptions to (re)consider
The above three points are practices that can help organizations improve their cybersecurity posture. Additionally, I believe there is a need to evolve some of our outdated cybersecurity assumptions, including the following tired tropes that we need to retire this year.
- “Safety is everyone’s business” “That’s true in many ways. Every employee should be vigilant and play an active role in ensuring a safer business, but we do very little to help people contextualize their role in safety. Most people don’t think of themselves as targets because they aren’t “big enough”, when in reality they might just be a convenient way to attack the ultimate victim. We also need more people whose single job is cybersecurity. The skills shortage is an existential threat, and it should be a CEO and board priority to hire, recruit, and retain as many cybersecurity professionals as possible in 2022.
- “People are the weak link” — People are attack entry points and make mistakes (like clicking on phishing emails, which unfortunately is still all too common), but this argument overlooks and downplays the many weaknesses and vulnerabilities in hardware and softwares. How many security updates have Zoom or Microsoft released in the last month, for example? Responnse: Many. Employees are still our biggest protectors in many cases, so don’t weaken or humiliate them. Let’s compassionately provide e-learning training to employees and don’t turn a blind eye to the other weak links in the chain.
The hyper-competitive cybersecurity industry often devolves into “quick fix” promises that solution X or Y alone can “save your organization”. Technology is imperative for cybersecurity, and incredible innovations are being made by vendors that will help businesses protect their infrastructure, assets, employees, and customers. But remember that technology alone is insufficient. Building a proactive and effective cybersecurity manual will always come down to people and practices.
Chris Hallenbeck is director of information security for the Americas at Tanium. He previously worked at the US Department of Homeland Security’s US-CERT, where he designed and developed incident response capabilities and restructured the team’s focus on strategic remediation with the goal of building organizations more resilient. Prior to that, he worked for RSA Security as a security engineer and with AOL/Time Warner on their global incident response team.
The post Log4j lesson: Defending cybersecurity isn’t just about technology appeared first on Venture Beat.