Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Jerry Gamblin
Jerry Gamblin
Connect Directly
E-Mail vvv

Why We Need More Blue Team Voices at the Table

The red team draws attention, but the blue team has the expertise to keep networks secure day in and day out.

I'm going to tell you one of the dirty secrets of enterprise cybersecurity. There are a lot of practitioners that secretly wish their company would get attacked.

Because at least then, someone would listen to them.

These people tend to reside on what we frequently refer to as the blue team. In cybersecurity exercises and simulations, blue team members are the defenders, tasked with keeping their mortal enemies out of corporate networks. In the real world, the blue team is cybersecurity. They are the operational masters, and they comprise most available cybersecurity jobs.

Related Content:

Vulnerability Management Has a Data Problem

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

The problem is, the blue team is easily ignored, seen as an expense rather than an asset to the organization.

Red Team Has All the Luck
Let's face it. The red team is sexy. It carries this aura of underground street cred. Some red teamers started off as hacktivists and gray hats. Some of them parlayed criminal experience into six-figure incomes as public speakers and corporate consultants.

These are the folks Hollywood makes movies about. 

And when the red team makes waves, the media pays attention. And that makes CEOs and other executives pay attention. 

The focus on red teams creates a distorted picture of reality. Go to any major cybersecurity conference, and you'll find dozens of well-attended seminars led by red-team experts. 

It just so happens that everyone in the audience is from the blue team. 

That's because there isn't a deep ocean of red-team positions. Those jobs are relatively rare, and while the people holding red-team jobs are extremely technically competent, the financial incentive for companies to employ them arises — at least a little bit — from the marketing and brand exposure they bring. Most cybersecurity companies don't sell offensive capabilities. They sell blue-team tools — but they use red-team flashiness to do it. 

A Seat at the Table
Discussing this isn't sour grapes. After all, I am a professional security researcher, which technically makes me a red-team guy. 

But I've spent years on the blue team. I've learned that a lot of the cybersecurity conversation is driven by red teams. The result is that a not-insignificant chunk of corporate security strategy is developed in an environment where the practitioners don't hold influence that is on par with their expertise. 

The typical cybersecurity professional's day-to-day duties are incredibly important. They are also routine. Installing and tuning a Web application firewall and updating obscure applications aren't the material that turns into speaking engagements. 

If we can give the people that perform these functions a bigger voice, we'd drive more impact. Think about it this way: What's more likely to improve overall security — an immediate response to a new and novel threat, or a strategic, methodical improvement in vulnerability management? 

I think we all know the answer. 

Not Letting Blue Team Off the Hook
If you are a member of the blue team, you might be cheering right now, saying, "Finally, someone understands my pain. I've always wanted more decision-making power in my organization." 

But be careful what you wish for, because with great power comes great responsibility.

Having a seat at the table means solving problems, not just identifying them. And it means solving them with the resources you have. If you tell your colleagues, "we're at risk from X, Y, and Z," be prepared to tell them how to minimize that risk and what it will cost to do so. 

Cybersecurity is an expense on your company's balance sheet. Maintaining a seat at the table and getting the resources you need may require finding ways to generate revenue — or at least prevent things that drive revenue down. If you work for an e-commerce site, look for ways to cut down on bot traffic that might be scraping information from your website to undercut prices. If you work for a subscription-based service, look for ways to cut down on customers sharing accounts. 

These are small examples, but they have big impacts on the bottom line. They may yield the resources your company needs to reduce risk. And when that happens, maybe you won't secretly wish your company falls victim to an attack.

Jerry Gamblin's interest in security ignited in 1989 when he hacked Oregon Trail on his 3rd grade class Apple IIe. As a security evangelist, researcher and analyst, he has been featured on numerous blogs, podcasts and has spoken at security conferences around the world. When ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."