Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/11/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

IT Security Administrators Aren't Invincible

IT security administrators and their teams are responsible for evaluating an organization's security tools and technologies, but are they armed with the proper tools, considerations, and budget to do so? Fourth in a six-part series.

IT security administrators, who often have titles such as director of cybersecurity or director of security operations, are mid- to senior-level managers who typically report directly to the CISO, CSO, or CIO. They usually manage a team of security analysts or security managers, and their core responsibilities often include managing the operations of the organization's security operations center, managing network, application, cloud, and systems security; vulnerability and risk management; penetration testing; and employee security awareness. They're expected to work closely with IT, security leadership, compliance, legal, and other stakeholders. They act as interpreters between technical analysts and non-technical executives, and they have access to organizational infrastructure, tools, and technologies.

Common Mistakes
Security directors are in the middle of everything security-related, and it can be a major challenge to balance all of the responsibilities, especially on a limited budget. Because security directors are stretched so thin, they often must rely on the dashboards from their security products to provide their key performance indicators (KPIs) and metrics, and they limit technology purchases to familiar brands instead of conducting merit-based evaluations, perhaps of lesser-known products and companies.

Security teams strapped for time struggle to perform comprehensive evaluations of all available products that include non-functional but critical issues such as how successful the product is at its given function, its impact on system performance, how it works in the production environment, and how it compares with other vendors' offerings. And while security directors may be responsible for evaluating security technologies, security may not be their specialty; therefore, taking a risk on a startup with more advanced technologies may not seem prudent.

Additionally, security directors sometimes have a good understanding of infrastructure but lack in-depth understanding of cyberattacks and insight into how modern adversaries operate. Without clearly understanding the threats their organization faces and why, security directors may have a myopic view of operations and not properly look at long-term strategy.

Repercussions
Because of time concerns, budget constraints, inexperience with security, or lack of proper evaluation criteria, security directors may select tools that don't properly address their organization's needs. Whether they choose according to brand, price (as in inexpensive solutions that fit the budget or expensive options that represent perceived value), or pressure from senior leadership, the result is a product purchase that may not best suit their organization's concerns. The solution may be ineffective or overly complicated or create a security stack with too many products, increasing the administrative overhead and likelihood of interoperability issues.  

Security directors who depend on out-of-the-box KPIs that provide "safe" metrics may not accurately assess the security posture of the organization — or all the hard work that the security team does. This can result in incorrect prioritization, inaccurate allocation of resources, and a complete misunderstanding of the organization's security posture. Combined with a lack of long-term vision, the organization won't be able to improve the situation.

Minimize Mistakes
Security directors must work with leadership to determine their organization's risk profile and security posture before making new technology investments. They must also have and deploy the resources necessary to ensure due diligence and thorough product evaluations (including proof-of-concept trials). Considering the plethora of vendors and products, organizations must assess which products will have the biggest impact and yield the best return on investment to strengthen security posture.   

Security directors should also be able to bring in outside help for such assessments. Only a few organizations are equipped to measure non-functional requirements such as efficacy, impact on system performance, and false positives. Experienced third-party professionals can conduct such evaluations. Less-sophisticated organizations with limited budget and resources can refer to neutral third-party evaluations to determine whether vendors have performed consistently well in multiple tests. Security directors should also advocate for professional services budgets to ensure correct deployment and configuration as well as proper use based on vendor-recommended best practices.

When it comes to setting KPIs for the security team, security directors must make time to create both metrics for leadership that indicate the organization's security posture, and the team's efforts, as well as metrics that provide honest insight into how operations are running so that the KPIs become a basis for where improvements can be made. Suggested KPIs might combine data from several products using some type of automated collection and/or calculation to make the process of retrieving the numbers on a regular basis manageable.

Change the Paradigm
We must dispel the notion that more products equal more security. Organizations need a layered approach that incorporates operational simplicity, minimal redundancy, integrated management, and interoperability.

It's also important for security directors to continue in their education. We must recognize that security directors — and the teams that evaluate, purchase, deploy, and manage security technologies — must stay up-to-date on the cybersecurity landscape — and technology advancements like machine learning and big data analytics — to properly consider all options for the purchase and management of security products and services and effectively run security operations.

In addition, we must accept the fact that improving an organization's security posture does not happen exponentially or even linearly. For many reasons, KPIs may not improve quarter over quarter. Security directors must be able to report such KPIs without fearing the perception of failure. KPIs may appear disappointing because the security director made a decision that turned out to be off-target. But remember, these KPIs provide an opportunity to course-correct. And that needs to be acceptable because security directors make mistakes, too. What separates successful organizations from the rest is the ability to identify and correct their mistakes.

Keep a lookout for the fifth perspective in our series: programmers. Previously, we've covered end users, security leaders, and security analysts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.