Careers & People

3/11/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

IT Security Administrators Aren't Invincible

IT security administrators and their teams are responsible for evaluating an organization's security tools and technologies, but are they armed with the proper tools, considerations, and budget to do so? Fourth in a six-part series.

IT security administrators, who often have titles such as director of cybersecurity or director of security operations, are mid- to senior-level managers who typically report directly to the CISO, CSO, or CIO. They usually manage a team of security analysts or security managers, and their core responsibilities often include managing the operations of the organization's security operations center, managing network, application, cloud, and systems security; vulnerability and risk management; penetration testing; and employee security awareness. They're expected to work closely with IT, security leadership, compliance, legal, and other stakeholders. They act as interpreters between technical analysts and non-technical executives, and they have access to organizational infrastructure, tools, and technologies.

Common Mistakes
Security directors are in the middle of everything security-related, and it can be a major challenge to balance all of the responsibilities, especially on a limited budget. Because security directors are stretched so thin, they often must rely on the dashboards from their security products to provide their key performance indicators (KPIs) and metrics, and they limit technology purchases to familiar brands instead of conducting merit-based evaluations, perhaps of lesser-known products and companies.

Security teams strapped for time struggle to perform comprehensive evaluations of all available products that include non-functional but critical issues such as how successful the product is at its given function, its impact on system performance, how it works in the production environment, and how it compares with other vendors' offerings. And while security directors may be responsible for evaluating security technologies, security may not be their specialty; therefore, taking a risk on a startup with more advanced technologies may not seem prudent.

Additionally, security directors sometimes have a good understanding of infrastructure but lack in-depth understanding of cyberattacks and insight into how modern adversaries operate. Without clearly understanding the threats their organization faces and why, security directors may have a myopic view of operations and not properly look at long-term strategy.

Repercussions
Because of time concerns, budget constraints, inexperience with security, or lack of proper evaluation criteria, security directors may select tools that don't properly address their organization's needs. Whether they choose according to brand, price (as in inexpensive solutions that fit the budget or expensive options that represent perceived value), or pressure from senior leadership, the result is a product purchase that may not best suit their organization's concerns. The solution may be ineffective or overly complicated or create a security stack with too many products, increasing the administrative overhead and likelihood of interoperability issues.  

Security directors who depend on out-of-the-box KPIs that provide "safe" metrics may not accurately assess the security posture of the organization — or all the hard work that the security team does. This can result in incorrect prioritization, inaccurate allocation of resources, and a complete misunderstanding of the organization's security posture. Combined with a lack of long-term vision, the organization won't be able to improve the situation.

Minimize Mistakes
Security directors must work with leadership to determine their organization's risk profile and security posture before making new technology investments. They must also have and deploy the resources necessary to ensure due diligence and thorough product evaluations (including proof-of-concept trials). Considering the plethora of vendors and products, organizations must assess which products will have the biggest impact and yield the best return on investment to strengthen security posture.   

Security directors should also be able to bring in outside help for such assessments. Only a few organizations are equipped to measure non-functional requirements such as efficacy, impact on system performance, and false positives. Experienced third-party professionals can conduct such evaluations. Less-sophisticated organizations with limited budget and resources can refer to neutral third-party evaluations to determine whether vendors have performed consistently well in multiple tests. Security directors should also advocate for professional services budgets to ensure correct deployment and configuration as well as proper use based on vendor-recommended best practices.

When it comes to setting KPIs for the security team, security directors must make time to create both metrics for leadership that indicate the organization's security posture, and the team's efforts, as well as metrics that provide honest insight into how operations are running so that the KPIs become a basis for where improvements can be made. Suggested KPIs might combine data from several products using some type of automated collection and/or calculation to make the process of retrieving the numbers on a regular basis manageable.

Change the Paradigm
We must dispel the notion that more products equal more security. Organizations need a layered approach that incorporates operational simplicity, minimal redundancy, integrated management, and interoperability.

It's also important for security directors to continue in their education. We must recognize that security directors — and the teams that evaluate, purchase, deploy, and manage security technologies — must stay up-to-date on the cybersecurity landscape — and technology advancements like machine learning and big data analytics — to properly consider all options for the purchase and management of security products and services and effectively run security operations.

In addition, we must accept the fact that improving an organization's security posture does not happen exponentially or even linearly. For many reasons, KPIs may not improve quarter over quarter. Security directors must be able to report such KPIs without fearing the perception of failure. KPIs may appear disappointing because the security director made a decision that turned out to be off-target. But remember, these KPIs provide an opportunity to course-correct. And that needs to be acceptable because security directors make mistakes, too. What separates successful organizations from the rest is the ability to identify and correct their mistakes.

Keep a lookout for the fifth perspective in our series: programmers. Previously, we've covered end users, security leaders, and security analysts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
CVE-2019-9942
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.