I asserted above that the golden triangle of security controls started with people and I can attest that if everyone in the enterprise takes cybersecurity seriously, those security professionals in the organization will have a much easier time. We still have a long way to go before our detective and preventive controls are truly effective at finding and stopping breaches before they happen. Along with the skills and knowledge needed by everyone in an organization, good processes and technology are also required to complete the security golden triangle. Examine the CIS Top 20 Security Controls and you'll see process written over many of them, if not all. Yes, technology will make them manageable and is even required for some, but behind each control is a process ensuring the control can be effectively implemented. It isn't enough for people to have cybersecurity knowledge and skills – they actually have to use them! Good, standardized, repeatable processes developed, monitored, and enforced by the security team will help minimize human error. A truly mature organization will begin to self-enforce and monitor, but this is a cultural shift that comes from building security into the organization (and a blog post for another day). Regardless of maturity level, without good processes, filling the skills gap will only take an organization so far. Cybersecurity is inherently technological and, while people and process provide good security momentum, technology really gets the ball rolling. Whether it's ensuring servers and devices adhere to secure configuration, assessing the enterprise for vulnerabilities, keeping inventories of devices and software, or ensuring administrative privilege is properly controlled (the CIS top 5, by the way), technology makes it possible. It is unimaginable to try to keep an enterprise secure without the proper tools to do so and there are a lot of tools in the security toolbox. Again, the skills question raises its head – it's one thing to have a toolbox full of tools, it's quite another to have the skills and context to use them. For me, this is where the skills gap discussion needs a deeper dive, sometimes it seems like we want our security professionals to be general contractors – know how to do plumbing, carpentry, wiring, architecture, and know all the building codes and regulations. We also expect those people to be master craftsmen in every craft! When we go a bit deeper, we discover the tools needed for security don't fit in a box – we need a full garage full of tools and a variety of expertise to use them effectively. This is a luxury that many enterprises can't afford. Even with a security rock star, it helps to have a team of specialists and generalists who are able to create the architecture, monitoring the enterprise, configure the devices, remediate vulnerabilities, and educate employees. Not all those people need to have security in their title, but they do need it in their bones. They also need to have the training, context, and skills to use the tools to accomplish the task at hand. Security is a whole-enterprise endeavor. In that regard, the skills gap is wide – every person in the organization is responsible for protecting the enterprise, following the processes, and using the technology for the role which they were given. Filling this gap takes regular security awareness training, focused skills and knowledge training for IT professionals on the front lines of the security battle, willingness of the leadership team to craft and enforce good processes, and investment in the right technologies for the job. When the people, process and technology are all aligned in protecting the enterprise, security becomes much more effective. If you are looking to fill the skills gap and get someone on your team, Tripwire is willing to help. We have the right people, processes, and technology to assist you in your security and compliance needs with Tripwire ExpertOps.
Not every skill requires a cybersecurity genius to grasp – many of the most fundamental skills come down to basic education, common sense and vigilance.