The ingredients for strong cybersecurity aren’t a secret. In fact, they haven’t changed significantly over the past 20 years—the ingredients are available to almost every organization out there.
On the surface, doing security isn’t that hard:
That’s it. Executing well in these areas will stop most attacks and help minimize the impact from those that are successful. So why do most organizations have such a poor security posture?
Organizations—and security teams in particular—claim that cybersecurity is everyone’s responsibility, but do their actions back up their claims? The root of the problem may surprise you. It starts with the perceived role of security in the organization and the decisions that are based on that perception.
Here's how to assess whether your security team is set up to fail.
The common view of security’s role is to stop hackers. Looking around the security community, there’s plenty of material to support that. Most conferences and publications focus on the latest threat or malware variant. Movies always show the hackers taking down the firewall; rarely do we watch someone poring over log files.
A far more realistic and productive definition of the role is to ensure that your systems work as intended—and only as intended. This may seem like splitting hairs, but the definition of the role is critical.
Stopping hackers is an activity that is viewed as a job with limited scope and a definite perimeter. Ensuring that systems work as intended and only as intended requires multiple teams working together. An isolated team cannot accomplish this goal.
The consistency with which security teams are structured is amazing. In all verticals, all regions, and all types of businesses, security teams are built in a purely centralized model. The only thing that changes is the relative scale of the team.
The teams break down into five areas:
As organizations grow, the leader becomes a CISO, and eventually the office of the CISO. The other areas of focus also reflect that growth and become dedicated teams rolling up to the CISO. Regardless of size, the centralized model rules supreme.
But isn’t cybersecurity everyone’s responsibility? This structure runs counter to that goal. It isolates the organization's security knowledge in one place. This creates three significant problems that the security team is forced to address.
Every team that the security team needs to communicate with adds overhead—and it needs to work with everyone. Each new link needs to be maintained, and eventually the number of connections becomes overwhelming. This severely impacts the team’s ability to effectively communicate within the organization.
This is the point when memos and meetings start to become more common. Despite the clear evidence that meetings are ineffective, they are relied on to bring security to the table and make critical decisions. It’s a recipe for disaster.
Teams within the organization don’t get the information and education they need, and the security team is always struggling to keep up with the latest initiatives. Lose, lose.
A parallel problem to direct communications is a lack of context and supporting information about the state of various IT systems and applications. If the security team’s role is to stop hackers, why would it need business metrics?
This setup leads the security team to areas it can control. Perimeter defense, endpoint systems, and threat intelligence all provide supporting information to the team to inform members' decisions. This biases their response to common situations.
Take for example a massive spike in inbound network packets. If the security team sees an unexpected increase in network traffic from a variety of IP addresses, its (understandable) assumption is that the traffic represents a DDoS attack.
The team is missing additional details that would suggest alternative causes. What if this traffic is the result of a wildly successful marketing campaign and the business has had a day the sales team previously only dreamt of?
Without information from key business systems (such as the total number of completed transactions) and application metrics, the security team doesn’t have enough information to make the correct determination. This is the direct result of the isolation of a centralized team structure.
Centralization also shapes the perception of both the team members and the rest of the organization. Security is known as the team of “no,” and the security team generally has a negative view of the organization’s users.
Nowhere is this clearer than in security awareness training. Users are told that they need to select a strong password and then are given arbitrary rules on how to create one. Eight characters, one capital letter, one number, and a symbol. Rinse and repeat every third month.
This, despite evidence that it leads to poorer security outcomes. Thankfully the NIST guidelines have been updated to a more reasonable and secure approach but this bad advice persists.
We see this attitude in training about phishing attacks. Users are told not to click on links for their own safety. That’s absurd. The sole purpose of a link is to be clicked on.
The centralized structure discourages empathy and understanding.
Completely decentralizing security isn’t realistic, nor is it the answer. What is needed is a change in perception and attitude for the members of the security team.
The good news is that understanding the forces at work allows the team to fight against them. A modern security team embraces the need to act as educators within the organization. Its members seek out an understanding of how the business works and build bridges with teams throughout the organization.
A modern security team works hand in hand with all the teams in the organization to move toward a common goal. The teams work together to ensure that all systems are working as intended—and only as intended.
When assessing your security team's posture, remember: The biggest problem in cybersecurity isn’t a technical one—it’s a people problem.