Rick Fink, rSolutions

The cybersecurity talent shortage is something that we repeatedly hear about and see firsthand in our consulting work. According to some sources, there are currently up to 200,000 unfilled security positions in the United States, and an estimated one million open positions globally. By 2019, experts say there could be 1.5 million unfilled cybersecurity jobs. We hear these things in reports from IBM, Symantec and Cisco, to name a few. But, even if you debate the exact number, we still can agree the shortage is real.

Indeed.com recently did a study on two years’ worth of relevant job posting data worldwide, in which Canada is reported. It becomes clear that demand is simply outpacing supply.

Learn More

The risk in this shortfall in supply is that many companies are finding themselves performing work arounds to their IT security challenges. It’s a race to the basement, which increasingly erodes security teams’ footholds on defence and makes security posture proactivity more and more difficult to attain. In the meantime, the threat landscape is increasing in size as the market for stolen data increases and successful attackers propagate in-step.

In this environment of increasing threats to the organization, decreasing availability of skilled workers and inherent risks to performing workarounds with available resources, an honest question is: Which security tasks and roles can be outsourced?

Assessments

Whether you are part of a major corporate enterprise or a public-sector organization, it’s hard to probe your own organization for vulnerabilities. Skill and smarts aside, our own connection to the environment may actually impede objective analysis of the security posture. It can be difficult to gain the necessary perspective from inside your organization. Kind of like creating, writing and scoring your own test, if you do well – you wonder, if you do poorly – you wonder.

A proper vulnerability assessment will be performed by a third party and look at network, application, email phishing and social engineering vulnerabilities. It will probe your infrastructure, help you understand your security posture as it currently exists and prioritize actions your team can carry out to make improvements.

These assessments typically follow a quarterly or annual reporting period timeframe and will provide even greater insight over time as Vulnerability Assessment findings are remedied and awareness is created of the things to look for within your unique environment. We regularly recommend annual or bi-annual reporting, as fixes to systems and training of staff can take time and a quarterly measurement may simply be too short a timeframe to see results from the findings of the previous quarter.

Monitoring

Security monitoring is big piece of IT Security success, but is often underachieved due to many factors. The first is the underlying premise of this article – simply too few people to do the jobs required. The other lies in the tools required to do the job. In IT Security there are tools for endpoint protection, email protection, firewalls, privilege access management, mobile device management, security policy management and often there are multiple and overlapping tools used for each piece of the security required for each. This requires security professionals to continually pivot in and out of different security products reporting windows to provide some nebulous understanding of their security posture.

Imagine that you have all these reports from all these different security products and your job is to reconcile and make sense of these reports, but also in real time that allows you understand your organization’s up-to-the-minute security posture. I hope that didn’t conjure an image of a happy and diligent worker, because that peaceful image would be a blatant lie in most cases. The complexity and enormity of the reporting alone doesn’t lend positively to having anything close to real-time understanding, and as we know, our computing environments rely on instantaneous connectivity.

Outsourcing to professionals who can set up your IT Security posture, with single pane of glass reporting is a serious consideration and is available and will provide the quick response times necessary. Now this doesn’t mean your security team will all get the day off, but it may afford them the time to trouble shoot, patch and actually get ahead of the curve in becoming more progressive than defensive.

Testing

Often times our application development teams and security teams don’t communicate well. Just because they all fall under the IT banner, don’t assume they share common objectives. Development teams are tasked with developing and updating new and existing software so it performs a business function. For the development team, they are pushed hard to meet taxing deadlines and to get these systems operational as soon as possible.

In their pursuit to economically meet deadlines, at times, they have been known to forklift in code from similar applications or code that performs a similar unique function they require the application to perform. Let’s face it, it’s standard practice. However, in this haste, we can actually open vulnerabilities and import existing vulnerabilities into new applications. It’s not the development team’s job to think about security and this prevailing attitude exists. On the flip side, imagine a developer that tested all their code for security compliance. It’s safe to assume the pace of their work would be somewhat like making an ejector seat reservation.

Your security team will likely lack the time and resources to effectively search for vulnerabilities in newly developed/updated apps. The development team is on a different track and in all likelihood will lack the capability to ensure security compliance. So, the onus falls where? This is where a dedicated security team focused on this one task can help.

Response

Whether your security monitoring is outsourced or on-premises, once it finds an incident is where the rubber meets the road. Sure, you can prepare for the immediacy and importance of a security incident, knowing that your resources are positioned well to respond, knowing who will start the chain of notification for internal and external audiences (and know the new policy and legislative requirements too) and so on. Yes, in some cases your team might be well suited to respond. But, if you stand-up right now and walk out to your in/out board you’ll find one or two key resources away, on training, away from their desk, or in a meeting. That’s just life and the point is that we tend to think idealistically in resource allocation around a crisis, not that we’ll be ill-equipped in some way. And, if you’ve ever been in midst of a major security incident, even with a highly-prepared and competent team, the challenge is all about the readiness of the people who were there at the time. When we think about it, it’s a slim entry vector that will either allow us to descend safely back to earth or bounce off the atmosphere into oblivion, so establishing a good relationship with a IT Security firm that specializes in incident response and forensics is wise. Because it allows for a bit more wiggle room in that re-entry vector for better odds of a safe landing.

Training

Training is becoming or will be a requirement of policy compliance, insurability requirements, or just plain-old sound business risk management. Security training takes a variety of forms and there are a few choices and a few more products on the market that provide out-of-the-box security awareness content for your organization’s customization. It is our assertion that targeted, meaningful training helps raise the profile of security threats to wider audience beyond the IT silo. When those messages are communicated outside of IT, everyone wins, as the challenges and threats to the organization get more attention. This can contribute positively to more than just awareness and contribute positively to the bottom line.

As we grapple with the widening threat landscape and an unnatural pace of evolution of threats on that landscape, we are met with fewer resources to choose from to keep us safe from harm. Outsourcing your security services to a fully or partially managed IT Security solution may just be the wise way to go, heck, soon enough, it may be the only way to go.

What good is all the effort you put into bolstering your company’s IT Security posture if your end users continually pipe a new stream of ever-evolving threats directly into your environment?

Sure, the robustness of your security controls gets a steady work-out, but we assert that adding a little awareness of security can go a long way. Even a nominal awareness program holds the potential to reduce the scope and severity of risks to your environment; so you can focus your time, money and effort to bolstering your security posture instead of the hand-to-mouth servicing of one-off security threats.
You likely you have read The Art of Deception by Kevin D. Mitnick (and William L. Simon) (if not, you should) and know that all the work that goes into building a robust security posture doesn’t mean squat if your end users are clicking on every attachment and bad link they come across.

In Mitnick’s words, “…the human factor is truly security’s weakest link.” Try as we might, we can’t solve every problem with a blinky light.

So you might be thinking, “how do I create (or improve) a culture of security at my company?” Many of the clients we serve at rSolutions are larger enterprises and have both external and internal communications departments, so we preface this advice under the assumption you’ll be working with a communications team, but we also provide this advice so it is large enough in scope so any sized company can derive some benefit.

Frame the Issue

Communications teams are likely largely unaware of all the efforts that go into making a company’s security posture as tight as possible. An overview of the number of threats handled over a defined set of time will help show what you’re dealing with and how more awareness can help. Provide the history and evolution of the problem you are trying to solve as well as some examples of what could happen, and has happened to other companies, that have fallen victim to the threats you outline (consequences). Do not include any FUD facts. Stick to the true facts. This will help build context for the problem with a non-technical audience that can help you reduce your time in incidence response. Consider bringing the CTO or CISO around as a champion so you have the support from the top to the bottom.

Define the Audience(s)

Well, everybody needs to know about security, you say. That is very true, but we suggest you approach it like you would eat an elephant; one bite at a time. The likelihood of success increases if you start on a smaller test group, ironing out what works and what doesn’t, before spending the time, money and resources on a corporate wide awareness program. Consider a test group of your greatest offenders. You likely have the data to present the case. Have you talked to them about why they keep falling into the same traps? Do you have data that supports which user groups are the greatest offenders or at the very least an anecdotal indication of who the greatest offenders are? Package this information to build profiles of these audiences so you approach the communications team with a target audience. An audience you can measure against your actions.

If you had three wishes from these audiences, what would they be?

I wish they’d just:

1. follow the strong password policy (and keep it a secret).
2. quit clicking on spoofed links.
3. quit opening bad attachments.

Thanks to KDnuggets Carton for the awesome cartoon!

Yours might be the same, or maybe they are different. Whatever they are, be sure to target your lowest hanging fruit. The idea is that if we want to make a more cultural workplace change, we need to start somewhere basic, then as you move forward on a continuum you can address more detailed subject matter over time. Try to keep in mind that cultural change is a big wheel that turns slowly, so start with your highest payoff activities balanced against the concepts that are easiest to grasp for non-technical people outside the IT silo. Consider focusing on what messages will bear the most fruit if scaled up for the entire organization.

Where do your targets get information and where do they mess up?

Being in IT Security gives you visibility into where your users get their information and the kind of information they access. Basically, where they are hanging out and what they’re doing there. Keep an eye out for trends and patterns (like you’re not already) to find places of higher traffic. Where are the people you are trying to reach getting information, for their work and not-so-work related information needs?

Where do the people you’re trying to reach keep messing up? Is it around use of a certain application(s), network destination or internet? Just like our kids, we often have to catch them messing up or remind them of a rule when we notice they’re about to do something bad to ensure they are changing behaviour. It’s not that your fellow professionals in your organization are children, its just that many still view IT Security to be IT Security’s problem. They may not realize how their behaviour is a danger to the business. So your audiences need to be informed and re-informed of the rules, consequences and potential pitfalls in the places threat is most prevalent.

Create messages to influence behavior

Our primitive human mind is programmed to be on the look-out for things that are new, different, or may pose a threat on a level of our baser animal instincts. Keep your messages consistent around a central theme of complementary messages or a single message. But keep the delivery of that message dynamic and changing. As we are trying to secure a digital environment, it makes some sense to keep our messages to that space, but the human mind requires similar or complementary messages presented in different ways to break through to our consciousness. Using analogies from outside of the digital space can increase chances that you’ll reach desired outcomes.

Put your skin in the game

Consider putting some of your budget aside to address this with a professional. Many marketing and communication efforts stall when the responsibility for who’s going to pay starts becoming the issue. Consider cost sharing or proportional funding of these efforts going in, so there is a partnership developed and there is common understanding of the resources available to reach the audiences. Strategists, designers, production and placement aren’t always cheap, but there are ways to respect costs in-step with the desired outcomes. Having understanding of the budget going in helps save more time and effort in the long run.

Measure your results

Validate the actions carried out with the desired response through your measurement of the intended outcomes against the info and metrics you collected to frame the issue earlier. We’re not talking about seeing drastic up-ticks in security compliance moments after putting up a poster in the staff lunchroom, but try to look for behavioural changes. If you’ve started with your worst offenders, is there a change in the number of incidents? Is there lower instances of help desk calls, has their network reliability improved? Ultimately, have your efforts delivered the fruit you expected or want? If so, you’re on the right track. If not, you may need more information from your targets and understanding of which messages failed. It’s important to note that humans aren’t as easy to diagnose as systems, they may not perform as expected if something rubs them the wrong way or is placed somewhere they can’t see it.

For more information on building IT Security awareness for your organization, we’re rSolutions and we have access to the professionals that can help.