Security Is a Team Sport

If you've read a security blog anytime in the last year, you haven't escaped mention of the dreaded skills gap for cybersecurity professionals. There seems to be consensus that it's getting harder to hire skilled security staff, though the reason for that is up for debate – some say we're just going about it the wrong way, while others claim it is an entry-level problem, and of course some say there are simply more jobs than qualified people. These discussions all focus on hiring staff whose primary role is on the cybersecurity team – a critical role – but only a piece of the puzzle of keeping a company safe. The other pieces of this puzzle are made up of people outside the security team who are responsible for adhering to policies and safe practices, the processes that define the safety controls, and the technology to detect, prevent and contain security incidents; people, process and technology, the golden triangle of security controls. Let's face it, there will never be enough people on a security team (ask any CISO or one of their overworked team members!) and there will always be more that can be done to defend the enterprise. The security team alone needs people to define security policy and controls, architect solutions, deploy and configure those solutions, monitor events of interest, and test and validate the controls in place – and that's just the beginning. And while an enterprise may have the best people on the job and every role filled, all it takes is a lost laptop, misconfigured hardware, or an errant click on a phish to bring all that hard work crashing down. This is why the security team is only part of the larger security team – a team which includes everyone else in the company – and this is where the real skills gap is to be found. Yes, those deeply technical and esoteric security skills are critically important, but just as important is following the rules in the security policy and recognizing a phish or social engineering.

Not every skill requires a cybersecurity genius to grasp – many of the most fundamental skills come down to basic education, common sense and vigilance.

I asserted above that the golden triangle of security controls started with people and I can attest that if everyone in the enterprise takes cybersecurity seriously, those security professionals in the organization will have a much easier time. We still have a long way to go before our detective and preventive controls are truly effective at finding and stopping breaches before they happen. Along with the skills and knowledge needed by everyone in an organization, good processes and technology are also required to complete the security golden triangle. Examine the CIS Top 20 Security Controls and you'll see process written over many of them, if not all. Yes, technology will make them manageable and is even required for some, but behind each control is a process ensuring the control can be effectively implemented. It isn't enough for people to have cybersecurity knowledge and skills – they actually have to use them! Good, standardized, repeatable processes developed, monitored, and enforced by the security team will help minimize human error. A truly mature organization will begin to self-enforce and monitor, but this is a cultural shift that comes from building security into the organization (and a blog post for another day). Regardless of maturity level, without good processes, filling the skills gap will only take an organization so far. Cybersecurity is inherently technological and, while people and process provide good security momentum, technology really gets the ball rolling. Whether it's ensuring servers and devices adhere to secure configuration, assessing the enterprise for vulnerabilities, keeping inventories of devices and software, or ensuring administrative privilege is properly controlled (the CIS top 5, by the way), technology makes it possible. It is unimaginable to try to keep an enterprise secure without the proper tools to do so and there are a lot of tools in the security toolbox. Again, the skills question raises its head – it's one thing to have a toolbox full of tools, it's quite another to have the skills and context to use them. For me, this is where the skills gap discussion needs a deeper dive, sometimes it seems like we want our security professionals to be general contractors – know how to do plumbing, carpentry, wiring, architecture, and know all the building codes and regulations. We also expect those people to be master craftsmen in every craft! When we go a bit deeper, we discover the tools needed for security don't fit in a box – we need a full garage full of tools and a variety of expertise to use them effectively. This is a luxury that many enterprises can't afford. Even with a security rock star, it helps to have a team of specialists and generalists who are able to create the architecture, monitoring the enterprise, configure the devices, remediate vulnerabilities, and educate employees. Not all those people need to have security in their title, but they do need it in their bones. They also need to have the training, context, and skills to use the tools to accomplish the task at hand. Security is a whole-enterprise endeavor. In that regard, the skills gap is wide – every person in the organization is responsible for protecting the enterprise, following the processes, and using the technology for the role which they were given. Filling this gap takes regular security awareness training, focused skills and knowledge training for IT professionals on the front lines of the security battle, willingness of the leadership team to craft and enforce good processes, and investment in the right technologies for the job. When the people, process and technology are all aligned in protecting the enterprise, security becomes much more effective. If you are looking to fill the skills gap and get someone on your team, Tripwire is willing to help. We have the right people, processes, and technology to assist you in your security and compliance needs with Tripwire ExpertOps.