By Douglas Ferguson, Founder & CTO, Pharos Security
It is accepted that there is a significant cybersecurity skills deficit. The result, it is argued, is that cybersecurity teams do not have access to the human resources they need to be successful. Therefore, CISOs and security teams cannot effectively protect their organization from cyber breach and impact. Often left unsaid is that cybersecurity teams often undermine themselves by poorly calibrating and pitching resource requirements and inadequately leveraging available expertise.
Security can be described, in simple terms, like a wall. Where the height corresponds to the level of threat sophistication security can counter, the width corresponds to coverage, and the depth corresponds to types of control (predict, protect, detect, respond, recover). Each of these dimensions strongly influences the costs of a security program – and the ability to control breach outcomes vs. different types and sophistications of attack.
Not enough expertise
These are two key issues surrounding perceived expertise shortages:
- The over-reliance on high-end expertise
- The suboptimal leverage of adequate expertise
Countless times I have seen an organization lament the ability to find high-end security experts to anchor and properly design and implement high – believed – priority security controls. Often, when high-profile experts are brought in, these controls become an ivory tower and a significant resource hog usurping resources for less flashy, more commodity, but critical foundational controls. Unfortunately, much more common and commodity skills are deemphasized, and sub-optimally leveraged to build out the more mundane, but foundational, security controls.
What has happened in the above case is an over-reliance on high-end expertise (as saviours) to compensate for lack of an effective threat and cost calibrated cybersecurity strategy and unbalanced SecOps. This results in unexpectedly weak overall protection performance, which is why we see, again and again, security breaches at high profile organizations that have lots of security budget, technology, and experts.
It is analogous to many professional sports teams that overspend on a few superstars, to the detriment of having enough budget to pay for supporting players. Because you win as a team, the superstar’s value is frittered away when their skill is relied on to carry the team, rather than a cohesive team strategy. The 1980 Olympic hockey Miracle on Ice is a classic example of US teamwork triumphing over the collection of Soviet superstars for the gold medal.
An effective security strategy follows a process like learning to crawl, then walk, then run. You must first be able to control low sophistication threats (like accidents and mischief) before you try to protect against hackers before you then should even consider trying to control espionage and nation-states.
The reality is, high-end cybersecurity expertise is rarely required for the bulk of foundational SecOps implementation and operation; rather, strong planning, threat, resource and cost calibration, project management, and measurement of SecOps KPIs aligned to pragmatic protection goals is what is needed. There is a time for high-end expertise – in initial strategic planning and then advanced tactics – but never to cover up for lack of these.
Not enough budget
We often experience budget requests denied or reduced because of headcount unit costs, or quantity requested – and sometimes location. How do we justify these costs in a pragmatic way?
The fundamental question to answer is: “What are we trying to achieve?” Because to answer that is to control cost variables. And human resource costs vary by skills sophistication, with more advanced skills being rarer and more expensive. You only need to pay for these when the time is right.
In the eyes of executive leadership – those that ultimately approve budgets – security teams today do an inadequate job calibrating and articulating necessary levels, quantity, and location of specific skills. Because the cost of these skills varies depending on the security wall dimensions introduced above, security budgets are often uncalibrated with overspend and underspend. The conclusion drawn by many executives is that security is a necessary evil because it is very difficult to measure budget performance and protection outcomes.
Lack of cyber security ‘common sense’
We often hear that ‘humans are the weak link in cybersecurity’ – usually meaning that they do ‘stupid things’ that unintentionally help hackers. Security controls (e.g. people, process, technology) exist to control security outcomes. They are largely intended to control humans from doing something or having access to something. When we blame humans as the weakest link, we are simply pointing out that controls do not effectively control desired security outcomes. Largely, the people to blame here are not the ‘general workforce and public’ but the security practitioners whose job it is to produce controlled and expected outcomes. And for the challenges of effectively calibrating, gaining access to, and leveraging required skills, they are often the victims of their own vicious cycle.
Programmatic and control cybersecurity performance is challenged because humans are the weakest link, just not in the way that cybersecurity experts are pointing their fingers.
About the Author
Douglas Ferguson, a security professional of over 20 years, is the Founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized operations build that to plan and on budget.
Prior to Pharos, Ferguson was with Barclays Bank in London, where he was responsible for numerous security programs and initiatives across more than 40 countries. Previously, Ferguson was a Managing Consultant and researcher on the acclaimed X-Force at Internet Security Systems. He delivered security services to more than 200 clients globally and was a co-creator of the breakthrough System Scanner technology. Douglas can be reached online at firstname.lastname@example.org and the Pharos website: https://pharossecurity.com/