Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Jerry Gamblin
Jerry Gamblin
Connect Directly
E-Mail vvv

Why We Need More Blue Team Voices at the Table

The red team draws attention, but the blue team has the expertise to keep networks secure day in and day out.

I'm going to tell you one of the dirty secrets of enterprise cybersecurity. There are a lot of practitioners that secretly wish their company would get attacked.

Because at least then, someone would listen to them.

These people tend to reside on what we frequently refer to as the blue team. In cybersecurity exercises and simulations, blue team members are the defenders, tasked with keeping their mortal enemies out of corporate networks. In the real world, the blue team is cybersecurity. They are the operational masters, and they comprise most available cybersecurity jobs.

Related Content:

Vulnerability Management Has a Data Problem

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

The problem is, the blue team is easily ignored, seen as an expense rather than an asset to the organization.

Red Team Has All the Luck
Let's face it. The red team is sexy. It carries this aura of underground street cred. Some red teamers started off as hacktivists and gray hats. Some of them parlayed criminal experience into six-figure incomes as public speakers and corporate consultants.

These are the folks Hollywood makes movies about. 

And when the red team makes waves, the media pays attention. And that makes CEOs and other executives pay attention. 

The focus on red teams creates a distorted picture of reality. Go to any major cybersecurity conference, and you'll find dozens of well-attended seminars led by red-team experts. 

It just so happens that everyone in the audience is from the blue team. 

That's because there isn't a deep ocean of red-team positions. Those jobs are relatively rare, and while the people holding red-team jobs are extremely technically competent, the financial incentive for companies to employ them arises — at least a little bit — from the marketing and brand exposure they bring. Most cybersecurity companies don't sell offensive capabilities. They sell blue-team tools — but they use red-team flashiness to do it. 

A Seat at the Table
Discussing this isn't sour grapes. After all, I am a professional security researcher, which technically makes me a red-team guy. 

But I've spent years on the blue team. I've learned that a lot of the cybersecurity conversation is driven by red teams. The result is that a not-insignificant chunk of corporate security strategy is developed in an environment where the practitioners don't hold influence that is on par with their expertise. 

The typical cybersecurity professional's day-to-day duties are incredibly important. They are also routine. Installing and tuning a Web application firewall and updating obscure applications aren't the material that turns into speaking engagements. 

If we can give the people that perform these functions a bigger voice, we'd drive more impact. Think about it this way: What's more likely to improve overall security — an immediate response to a new and novel threat, or a strategic, methodical improvement in vulnerability management? 

I think we all know the answer. 

Not Letting Blue Team Off the Hook
If you are a member of the blue team, you might be cheering right now, saying, "Finally, someone understands my pain. I've always wanted more decision-making power in my organization." 

But be careful what you wish for, because with great power comes great responsibility.

Having a seat at the table means solving problems, not just identifying them. And it means solving them with the resources you have. If you tell your colleagues, "we're at risk from X, Y, and Z," be prepared to tell them how to minimize that risk and what it will cost to do so. 

Cybersecurity is an expense on your company's balance sheet. Maintaining a seat at the table and getting the resources you need may require finding ways to generate revenue — or at least prevent things that drive revenue down. If you work for an e-commerce site, look for ways to cut down on bot traffic that might be scraping information from your website to undercut prices. If you work for a subscription-based service, look for ways to cut down on customers sharing accounts. 

These are small examples, but they have big impacts on the bottom line. They may yield the resources your company needs to reduce risk. And when that happens, maybe you won't secretly wish your company falls victim to an attack.

Jerry Gamblin's interest in security ignited in 1989 when he hacked Oregon Trail on his 3rd grade class Apple IIe. As a security evangelist, researcher and analyst, he has been featured on numerous blogs, podcasts and has spoken at security conferences around the world. When ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...