IT security administrators, who often have titles such as director of cybersecurity or director of security operations, are mid- to senior-level managers who typically report directly to the CISO, CSO, or CIO. They usually manage a team of security analysts or security managers, and their core responsibilities often include managing the operations of the organization's security operations center, managing network, application, cloud, and systems security; vulnerability and risk management; penetration testing; and employee security awareness. They're expected to work closely with IT, security leadership, compliance, legal, and other stakeholders. They act as interpreters between technical analysts and non-technical executives, and they have access to organizational infrastructure, tools, and technologies.
Security directors are in the middle of everything security-related, and it can be a major challenge to balance all of the responsibilities, especially on a limited budget. Because security directors are stretched so thin, they often must rely on the dashboards from their security products to provide their key performance indicators (KPIs) and metrics, and they limit technology purchases to familiar brands instead of conducting merit-based evaluations, perhaps of lesser-known products and companies.
Security teams strapped for time struggle to perform comprehensive evaluations of all available products that include non-functional but critical issues such as how successful the product is at its given function, its impact on system performance, how it works in the production environment, and how it compares with other vendors' offerings. And while security directors may be responsible for evaluating security technologies, security may not be their specialty; therefore, taking a risk on a startup with more advanced technologies may not seem prudent.
Additionally, security directors sometimes have a good understanding of infrastructure but lack in-depth understanding of cyberattacks and insight into how modern adversaries operate. Without clearly understanding the threats their organization faces and why, security directors may have a myopic view of operations and not properly look at long-term strategy.
Because of time concerns, budget constraints, inexperience with security, or lack of proper evaluation criteria, security directors may select tools that don't properly address their organization's needs. Whether they choose according to brand, price (as in inexpensive solutions that fit the budget or expensive options that represent perceived value), or pressure from senior leadership, the result is a product purchase that may not best suit their organization's concerns. The solution may be ineffective or overly complicated or create a security stack with too many products, increasing the administrative overhead and likelihood of interoperability issues.
Security directors who depend on out-of-the-box KPIs that provide "safe" metrics may not accurately assess the security posture of the organization — or all the hard work that the security team does. This can result in incorrect prioritization, inaccurate allocation of resources, and a complete misunderstanding of the organization's security posture. Combined with a lack of long-term vision, the organization won't be able to improve the situation.
Security directors must work with leadership to determine their organization's risk profile and security posture before making new technology investments. They must also have and deploy the resources necessary to ensure due diligence and thorough product evaluations (including proof-of-concept trials). Considering the plethora of vendors and products, organizations must assess which products will have the biggest impact and yield the best return on investment to strengthen security posture.
Security directors should also be able to bring in outside help for such assessments. Only a few organizations are equipped to measure non-functional requirements such as efficacy, impact on system performance, and false positives. Experienced third-party professionals can conduct such evaluations. Less-sophisticated organizations with limited budget and resources can refer to neutral third-party evaluations to determine whether vendors have performed consistently well in multiple tests. Security directors should also advocate for professional services budgets to ensure correct deployment and configuration as well as proper use based on vendor-recommended best practices.
When it comes to setting KPIs for the security team, security directors must make time to create both metrics for leadership that indicate the organization's security posture, and the team's efforts, as well as metrics that provide honest insight into how operations are running so that the KPIs become a basis for where improvements can be made. Suggested KPIs might combine data from several products using some type of automated collection and/or calculation to make the process of retrieving the numbers on a regular basis manageable.
Change the Paradigm
We must dispel the notion that more products equal more security. Organizations need a layered approach that incorporates operational simplicity, minimal redundancy, integrated management, and interoperability.
It's also important for security directors to continue in their education. We must recognize that security directors — and the teams that evaluate, purchase, deploy, and manage security technologies — must stay up-to-date on the cybersecurity landscape — and technology advancements like machine learning and big data analytics — to properly consider all options for the purchase and management of security products and services and effectively run security operations.
In addition, we must accept the fact that improving an organization's security posture does not happen exponentially or even linearly. For many reasons, KPIs may not improve quarter over quarter. Security directors must be able to report such KPIs without fearing the perception of failure. KPIs may appear disappointing because the security director made a decision that turned out to be off-target. But remember, these KPIs provide an opportunity to course-correct. And that needs to be acceptable because security directors make mistakes, too. What separates successful organizations from the rest is the ability to identify and correct their mistakes.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.