Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/11/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

IT Security Administrators Aren't Invincible

IT security administrators and their teams are responsible for evaluating an organization's security tools and technologies, but are they armed with the proper tools, considerations, and budget to do so? Fourth in a six-part series.

IT security administrators, who often have titles such as director of cybersecurity or director of security operations, are mid- to senior-level managers who typically report directly to the CISO, CSO, or CIO. They usually manage a team of security analysts or security managers, and their core responsibilities often include managing the operations of the organization's security operations center, managing network, application, cloud, and systems security; vulnerability and risk management; penetration testing; and employee security awareness. They're expected to work closely with IT, security leadership, compliance, legal, and other stakeholders. They act as interpreters between technical analysts and non-technical executives, and they have access to organizational infrastructure, tools, and technologies.

Common Mistakes
Security directors are in the middle of everything security-related, and it can be a major challenge to balance all of the responsibilities, especially on a limited budget. Because security directors are stretched so thin, they often must rely on the dashboards from their security products to provide their key performance indicators (KPIs) and metrics, and they limit technology purchases to familiar brands instead of conducting merit-based evaluations, perhaps of lesser-known products and companies.

Security teams strapped for time struggle to perform comprehensive evaluations of all available products that include non-functional but critical issues such as how successful the product is at its given function, its impact on system performance, how it works in the production environment, and how it compares with other vendors' offerings. And while security directors may be responsible for evaluating security technologies, security may not be their specialty; therefore, taking a risk on a startup with more advanced technologies may not seem prudent.

Additionally, security directors sometimes have a good understanding of infrastructure but lack in-depth understanding of cyberattacks and insight into how modern adversaries operate. Without clearly understanding the threats their organization faces and why, security directors may have a myopic view of operations and not properly look at long-term strategy.

Repercussions
Because of time concerns, budget constraints, inexperience with security, or lack of proper evaluation criteria, security directors may select tools that don't properly address their organization's needs. Whether they choose according to brand, price (as in inexpensive solutions that fit the budget or expensive options that represent perceived value), or pressure from senior leadership, the result is a product purchase that may not best suit their organization's concerns. The solution may be ineffective or overly complicated or create a security stack with too many products, increasing the administrative overhead and likelihood of interoperability issues.  

Security directors who depend on out-of-the-box KPIs that provide "safe" metrics may not accurately assess the security posture of the organization — or all the hard work that the security team does. This can result in incorrect prioritization, inaccurate allocation of resources, and a complete misunderstanding of the organization's security posture. Combined with a lack of long-term vision, the organization won't be able to improve the situation.

Minimize Mistakes
Security directors must work with leadership to determine their organization's risk profile and security posture before making new technology investments. They must also have and deploy the resources necessary to ensure due diligence and thorough product evaluations (including proof-of-concept trials). Considering the plethora of vendors and products, organizations must assess which products will have the biggest impact and yield the best return on investment to strengthen security posture.   

Security directors should also be able to bring in outside help for such assessments. Only a few organizations are equipped to measure non-functional requirements such as efficacy, impact on system performance, and false positives. Experienced third-party professionals can conduct such evaluations. Less-sophisticated organizations with limited budget and resources can refer to neutral third-party evaluations to determine whether vendors have performed consistently well in multiple tests. Security directors should also advocate for professional services budgets to ensure correct deployment and configuration as well as proper use based on vendor-recommended best practices.

When it comes to setting KPIs for the security team, security directors must make time to create both metrics for leadership that indicate the organization's security posture, and the team's efforts, as well as metrics that provide honest insight into how operations are running so that the KPIs become a basis for where improvements can be made. Suggested KPIs might combine data from several products using some type of automated collection and/or calculation to make the process of retrieving the numbers on a regular basis manageable.

Change the Paradigm
We must dispel the notion that more products equal more security. Organizations need a layered approach that incorporates operational simplicity, minimal redundancy, integrated management, and interoperability.

It's also important for security directors to continue in their education. We must recognize that security directors — and the teams that evaluate, purchase, deploy, and manage security technologies — must stay up-to-date on the cybersecurity landscape — and technology advancements like machine learning and big data analytics — to properly consider all options for the purchase and management of security products and services and effectively run security operations.

In addition, we must accept the fact that improving an organization's security posture does not happen exponentially or even linearly. For many reasons, KPIs may not improve quarter over quarter. Security directors must be able to report such KPIs without fearing the perception of failure. KPIs may appear disappointing because the security director made a decision that turned out to be off-target. But remember, these KPIs provide an opportunity to course-correct. And that needs to be acceptable because security directors make mistakes, too. What separates successful organizations from the rest is the ability to identify and correct their mistakes.

Keep a lookout for the fifth perspective in our series: programmers. Previously, we've covered end users, security leaders, and security analysts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12198
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
CVE-2019-12185
PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.