Op-Ed: Who defends the defenders?

Their boards and executive teams have cyber security on their agendas and are deep in thought about what they are doing to protect themselves from an attack and then, when the inevitable happens, how they will move to contain, limit, and reduce the impact of that attack.

The pressure of expectations, the weight of not wanting to be the next company in the media for a data breach — and the lack of detailed knowledge on how best to protect and respond to the ongoing cyber threat — is heating up the market for those who do know how to manage these situations.

Practitioners of cyber security, “the defenders”, have always been in demand. The publicity surrounding many recent high-profile attacks makes this situation even more critical as companies and governments compete for talent. Worse still, there are simply not enough of these people to go around.

It’s a classic case of supply versus demand. By combining the heightened awareness around the possibilities of attack, the urgent need to improve company defences and postures, and the increased scrutiny from boards, shareholders, customers, and the public, you increase the demands that are being placed on a small number of highly experienced cyber defenders.

This pressure, combined with the lack of investment over several years and the sudden explosion of new money to “improve our protection”, will lead to a much higher churn rate for cyber security staff and likely a higher burnout rate, where these people leave the industry for an easier life.

So, how do organisations better assist the defenders in doing their best work, reduce the stress and pressure, and improve their overall stance to better respond to the threats to their operations?

Most would turn to technology and more tooling to drive greater ability, but with many corporate organisations already having deployed more than 100 third-party security tools and the large increase in global spending on cyber products and services (around US$150 billion per year globally), more tooling is not necessarily the answer to this situation.

So, if not more tools, then what is the right approach?

VIEW ALL

Firstly, we all need to accept that a small number of defenders, no matter how well-equipped, will not be able to succeed against a near-infinite number of enemy attackers. Put simply, security is a “team sport”, and everyone needs to play their position.

From ensuring your staff are well versed in spotting phishing emails, to having clear policies in place to prevent incorrect payments to suppliers and partners, to making sure your executives realise they are high-value targets for compromise, there are many factors that need to be considered as a part of your cyber defence strategies.

Let’s “ladder up” the approach:

• First, let’s decide what are our most critical data assets. They may be plans for our newest product, our customer’s credit cards, their medical information, or the data we hold about our staff members.
• Then, let’s consult an industry standard model for cyber attacks. Tools like the Mitre Att&ck framework, NIST, ASD Essential 8, and others make for a good starting point to consider risks to our business.
• We then take the asset, apply the most likely attacks against these assets, and then assess the impact if one of these assets was released outside your company.

With this, we have a clear view of what we need to protect, how likely an attack is to occur, and what type of attack is most likely.

As a result, we now know how to deploy our limited budgets and staffing towards our most critical infrastructure or applications. We can also choose tools that are most suited to a particular attack, attacker, or information asset and ensure that our tools, procedures, and processes are also aligned.

Equally, we can assess different training methods, tools, and vendors against a clear criterion that is suited to our business and make selections based on what is best for our business, not just what is best known or has the greatest advertising.

Now we can turn our attention to helping our defenders do their best work. We have assessed and articulated which of our assets are the most critical, we have trained our staff how to be vigilant for the most likely types of attacks against these assets, and we have deployed tooling that can give us the best early warning of any attempt to corrupt or compromise these assets.

From here, our defenders can focus their attention on a proactive defence strategy and scenario planning to remain abreast of any changes in the threat landscape relative to our key data. For example, developing attack and defence scenarios, implementing telemetry that can provide a warning of an attack, and organising red/blue teaming events to test the strength of the defences.

In addition, our board reporting — reporting to external regulators or stakeholders — also becomes clearer. We can articulate directly which assets fit into which category, how these assets are being protected and which processes we are using to ensure the veracity of the protection and the asset.

Most of all, we protect our company from the worst threat of all — the question, “Are we protected?”. To this, our defenders have a complete framework within which to answer, and the questioners have a complete framework within which to ask deeper, more meaningful questions.

Taking this approach will reduce the burden on your defenders, will help them continue to be effective and efficient, and will help your company do the best it can with limited budgets and an even more limited pool of defenders.

Darren Reid is the senior director, security business unit, Asia-Pacific and Japan, at VMware.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.