5 Questions to Ask About Your Security People in a World Saturated by Security Tools

Type carbonblack
Reporter Ryan Murphy
Modified 2019-01-28T17:58:07


Definition of ***tool -*

1a: a handheld device that aids in accomplishing a task

b(1): the cutting or shaping part in a machine or machine tool

(2): a machine for shaping metal : MACHINE TOOL

2a: something (such as an instrument or apparatus) used in performing an operation or necessary in the practice of a vocation or profession - scholar's books are his tools

_b: an element of a computer program (such as a graphics application) that activates and controls a particular functions _

c: a means to an end - a book's cover can be a marketing tool

d: other NSFW definitions

> Why are we defining "tool?" We use tools everyday to do our jobs. We lose sight of this in our hectic lives and with all the noise around us. But we have to remember that tools are tools and they are used by people. However, we also have to remember that some people can operate tools more efficiently than others. This is not an indictment on people or the tools rather a reminder that a tool is only as good as its operator.

Recently there was an article from US-CERT, providing guidance to CISOs around good security hygiene. One of the items that stood out in the best practices was item six on the list, _"Retain Good Quality People." _Personally, I feel this should be number one on the list. Why number one? Because all other items relate back to the people that are either administrators in the environment or using tools. As vendors, and as customers, the human element gets lost.

One of the biggest mistakes we see happening is that the people get overlooked or there is an overconfidence in their skills. We have to remember that people use the tools and the tools will only ever be as good as the person using them. You can have the best tools in the world but if the operator does not know how to use them properly, their value will never be realized. When this happens, you will quickly find yourself in a cycle of wash-rinse-repeat evaluations of tools. This can cost an organization time and money. Both of which are in short supply for most companies.

> One thing to consider when you are looking at different tools is to also use this as a time to evaluate your talent, or the people using the tools. Does this mean you do not have faith in the people you hired? No, but it does mean you could have an ability to see what they are capable of prior to it being in a time of need. Would you ever buy a motorcycle for someone that has only ever driven a car? Could they ride it? Probably, but would they get the most out of it? Doubtful. The tools you invest in are no different.

Speaking of investing, how much do you invest in your people? You are willing to spend a lot of money on tools yet very little on your people outside of compensation and benefits. We all know there is a skills gap and when you do find good people it can be hard to retain them. While this seems like common sense, the problems still persist. To make things worse, there continues to be a mindset that tools can make things easier. However, ease of use is all relative to the operator of the tool. A skilled operator will get the value out of the tool, where a partially skilled operator will only get you a percentage of value but likely cost you more money in the long run.

> Remember item six on the best practices for CISOs – find and retain good talent. Security operators are as critical as having CPAs in accounting, MBAs in finance or other high-priced specialized people running your organization. The failure to spend and retain talent can likely result in costs far exceeding paying upfront; think how much a breach costs. Additionally, keep these people active and keep them trained. Lastly, when you bring in tools for evaluation also evaluate the team using them. Are they more interested in ease of use vs. value to the organization? If so maybe you have a skill problem and not a tool problem.

Here are five things to think about:

  • How much training, outside of tool training, do you offer?
  • Outside of the day-to-day job rigors ,what do you do to keep your team’s skills sharp and minds engaged?
  • Do you know what motivates your people? (Hint: it’s not always money.)
  • What keeps your people at your company?
  • When testing a tool, do you test your people too?'

The post 5 Questions to Ask About Your Security People in a World Saturated by Security Tools appeared first on Carbon Black.