Teamwork prevails in every area of modern business–almost. People seem to recognize the importance of collaboration among and between teams, facilitating conversations and initiatives between previously segmented groups that move the ball forward with far greater efficiency and sustainability than before, except when it comes to information security and IT. Why, when we value teams in business overall, do we take a different approach to IT and IT Security, continuing to rely on decades-old strategies, while expecting our new cloud environments to be more secure and resilient to attack? Some refer to this approach as separation of church and state, like the old US government adage, and implying that IT Security is some sort of ethereal, mystical practice. The truth is, IT Security is a highly logical collection of specialized technical competencies that, when implemented properly as part of a holistic security ecosystem, will touch on everything from network design to configurations, policy, legal language, software, physical locations, layered security technologies, and end-users. More mature and less vulnerable organizations understand that the most functional IT environment is one where Risk Advisory experts work hand-in-hand with IT Directors and Security Technicians to design, manage, validate, and harden the whole system together, collaboratively. In that way, they continue validation and improvement cycles over time to reach a truly secure state from beginning to end–a well-oiled, sleek, efficient, and cost-effectively secure IT environment. Some are calling this holistic security. Whatever term suits you best in this mindset shift, we can look at a few cause and effect factors of an IT house divided, as well as how to fix the problem: What is the modern value of collaboration? What historical drivers have led us to separate IT from IT Security? What is the cost of division to your bottom line? Besides mindset, what keeps organizations from bridging these disparities? What can be done right away?
Coordinated Teamwork: Strong Offense Begins With a Good Defense
How would this year’s bowl games have turned out if for the past two years, coaches reduced their offensive linemen to one player, invested minimal time in that single lineman, and focused their efforts only on ways to throw and catch the ball. Quarterbacks would have been sacked before ever getting a single pass off, and neither QB nor wide receiver would be running anywhere, even if they managed to hold onto the ball because there’d be no one blocking. When considering your organization’s 2019 goals to move the ball forward, you have to consider how you will protect your key assets in the process, leveraging a powerful offensive protection strategy (otherwise known as defense that enables your offense). In fact, the reality is that no longer are you just facing competitors in an “opposing team”, but now you have to worry about cyber attackers sneaking onto the field and making off with your progress. Furthermore, not only will they fight dirty, but you’ll be working without a referee. Just ask one of your breached competitors if you want confirmation of what that does to organizational progress.
Why do People Separate IT from Information Security?
In an attempt to build in institutional checks and balances for IT, Security and IT have traditionally operated separately, each developing their own policies, procedures, and practices. The idea was always that one group–IT engineers–would organize functionality that is in-line with organizational goals, while the other would remain wholly separate and objective, coming in relatively blind to audit the IT environment for security gaps, flaws, and vulnerabilities after it has been built. In the meantime, someone would be working on compliance to add on the measures absolutely necessary to avoid harsh penalties. What this has accomplished, in reality, has been the creation of a harsh dividing line between groups, and the favoring of teacher’s pets (IT operations), with the severe neglect of security, and a maintenance-only approach to compliance. So in the end, IT has historically been given budget and staff allocations, while internal security teams have remained plagued by lack of budget and extreme understaffing, then compliance has been seen as some sort of box to check that means nothing is wrong. As a result, security teams were traditionally misunderstood, and devalued from being a key player enabling secure business processes. At the same time, security-first values gave way to a just-enough-for-compliance mentality in regulated industries. Then, as would be natural with these perspectives taking over, security departments have been downsized and devalued. Enter widespread breaches and cyber attacks.
Current Cyber Attack Rates and Losses
According to the most recent Ponemon Cost of a Data Breach Report, the average cost to breached organizations last year was a staggering $3.86 million per attack. Let that sink in. Now consider that the likelihood these organizations will be breached again within two years is 27.9%, despite the average response spend of $1.76 million. Why, in a company that has experienced tremendous losses, would all of the vulnerabilities leading to that breach not be properly addressed to stop the bleeding? If we were looking at causation that could be remedied by efforts as simple as buying some new security technologies, we wouldn’t be seeing such high rates of recurrence in spite of tremendous spends. That essentially seeks to address surface problems by throwing technology at them, when what we really have going on is a series of larger, underlying issues. To contextualize, organizations in growing industries are expanding their attack surfaces rapidly through cloud deployment, broader technology supply chains, and greater global connectivity, resulting in attack surfaces too wide for them to secure with existing resources. To compound that problem, underlying internal imbalances of support for–and lack of cooperation between–the very teams needed to develop a more mature security posture, are impeding progress.
Post-Design Phase Security Yields Ad Hoc Solutions
When systems have been designed according to old practices and traditional mentalities– primarily for their functionality, rather than securefunctionality–security becomes simply a series of add-ons. Not only is this problematic from a design perspective (imagine if blueprints never took wind or rain into account, and hurricane clips were added wherever they’d fit after the roof was already built, but slope was never addressed), but it’s often a waste of money. Networks, like houses, can be designed more securely at the outset, rather than having to go back and remediate problems after the fact. Either way, gaps and vulnerabilities will present themselves sooner or later–hopefully not, but most often in the form of a breach, attack, or outage. Those who make moves to adopt a holistic approach to security sooner, rather than later, will experience the benefits of their investment by protecting their profits, shifting their thinking, and ultimately spending less, in the end, than their breached counterparts.
Information Security Workforce Shortage
At this point, the problem has become systemic, a cycle that feeds itself. With a lack of investment in security over the last 30 years, companies drove the demand for that specialized workforce down. Then, due to workforce shortage, once the breaches began and profits were threatened, there was a windfall of requests for security experts. ISACA’s State of Cybersecurity 2018 report found that 3 in 5 organizations currently have unfilled cybersecurity/information security positions. Further, 54% said it takes 3 months or more to fill those open positions. Again, that’s for companies who understand their need to bolster security. The report concludes that “attracting and retaining sufficient cyber talent remains deeply problematic, in part because the industry is hampered by a shortage of technically skilled practitioners and an underrepresentation of women in the workforce.”
The Solution: Shared Workforce
Most often, building out a fully balanced security team, then arming them with the proper security solutions and keeping them up-to-date in trainings and certifications is simply too expensive at this point. A more effective solution for many is to augment existing teams with outsourced ones, in some cases bringing in a Virtual CISO (Risk Advisory expert), so they can receive expert direction and security strategy for a fraction of the cost of a full-time employee. Further, they look to managed security services to address immediate needs for monitoring their networks while undertaking the process of building out their security programs. In this way, outsourced Network Monitoring, Managed Detection and Response, and other Security Operations Center services become more affordable, and give companies access to the most current technologies and highly-trained experts. The overarching trend shift industries are wise to embrace, though, is to focus on coordinated efforts and inter-team collaboration. Your money will be most effectively spent if you are bringing a security-first mentality into every area of the business, across the board.
Steps to Take Right Away
Simply put, widespread, costly attacks and a security workforce shortage have resulted in a skyrocketed demand for trained Information Security Experts. As an established thought leader in the field, TRUE Digital Security has taken steps to build out our teams equally, with trained specialists in Risk Advisory, Information Security, Managed Security Operations, and IT Cloud Architecture. If you would like to talk to an expert about how to strategically supplement your existing teams, or if you would like to talk about monitoring your network and IT environment, please reach out to us at firstname.lastname@example.org.