Enterprises Must be Committed to Keeping their IT Security Staff Highly Trained on the Current Threat Landscape and Advanced Approaches to Security.
Nearly 200 years ago Horace Mann stated what has become a commonly held belief: education is the great equalizer. Yet education tends to get put on the back burner relative to security. When we look at ways to strengthen weak links in the security chain – equalize our position with respect to attackers, if you will – our instinct is to focus on technology as the means for doing so. And while we can’t address security without technology, we also need to consider education. There is no denying that security is just as much, if not more so, a people problem. And to address a people problem education is foundational.
There are multiple aspects to the people problem. First, end users are easy targets; attackers are compromising their systems and gaining access to corporate networks and digital assets using techniques like:
• “Watering hole” attacks targeting specific industry-related websites to deliver malware
• Malvertising attacks which infect victims in the course of their normal Internet browsing, without even clicking on the advertisement
• Spam emails incorporating social-engineering techniques so that they appear to be sent by well-known companies or other ‘trusted’ sources but contain links to malicious sites
• Third-party applications laced with malware and downloaded from popular online marketplaces
Second, users often see security is an inhibitor to getting their job done. As defenders we’ve probably all been in a situation where an employee has had issues with a company computer, knew it was a virus (indicated by the endless browser pops), and chose to defer requesting assistance because it would “waste” a day while the computer was being fixed. When they finally do alert you to the problem, they automatically default to personal systems, personal email accounts, USB drives, write a CD, and print documents, and outright disregard and circumvent corporate policy to “get their job done.” The net result is that they, and defenders by extension, have been locked into a repeating cycle of infection and insecurity.
Third, there’s an aspect to the people problem that’s associated with defenders. We have a widely acknowledged talent shortage where the number of cyber security jobs worldwide far exceeds the number of skilled professionals. Many organizations struggle to attract and retain enough skilled cyber security professionals to maintain a strong security posture and keep up with rapidly developing and evolving threats.
To address these weak links we need to consider training at all levels and across the organization.
First, we need to continuously educate users on safe habits to ensure they know how to recognize and cease to click on potential malware. They must also understand when and how to inform the organization of any suspicious occurrences so future attempts can be minimized and/or blocked. Raising awareness and offering simple suggestions such as hovering over a link without clicking to view the intended URL, or not opening attachments you didn’t request, as well as empowering them with access to channels and processes designed to ensure timely assistance when something is wrong can go a long way in the fight against cyber attacks.
Second, security leaders and business leaders must learn how to work together to operationalize security. Security assessments reveal that the root cause of many security problems is a lack of operational maturity or capabilities that lead to weak or nonexistent security controls. Operationalizing security involves continually improving practices based on a holistic view of risks. As security becomes more of a strategic risk there is a growing need to achieve security operations maturity by making security a highly standardized and measured business process, or set of processes, reviewed regularly to make sure strategic objectives are being met. This requires security and business leaders understand how to engage in productive dialog to continuously assess and take action so that IT security resources are deployed in ways that avoid unacceptable risk and translate into business value.
Third, organizations must also be committed to keeping their IT security staff highly trained on the current threat landscape and advanced approaches to security. Not only does this help increase security effectiveness, but it also helps engage and retain cyber security talent. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it, and how to contain and eliminate it will help keep security teams apprised of the latest techniques used by attackers to disguise threats, exfiltrate data, and establish beachheads for future attacks. At the same time, training on evolving security technologies, like dynamic controls to see more, learn more, and adapt quickly, drive security operations maturity. Dynamic controls also help remove the perception of security as an inhibitor to business and helps users work better, faster, and with fewer restrictions. Supplementing these controls with regular training and certifications gives security staff the opportunity to keep their credentials up to date, but also ensures that you are maximizing your security investments with a team that knows how to optimize these technologies for better protection.
There are many different types of weak links in the systems and processes we use. Fortunately, there are also many different things we can do to reduce their number and effects. Rather than instinctively turning to technology first and foremost as the great equalizer, we must remember that security is a people problem and look to education as well.