Cybersecurity is a complex domain that continues to evolve and expand. It’s important for security teams to be keeping up with new technologies and developing trends around work, such as agile software development and value stream alignments. In my experience, working across a number of organizations directly and in a consultative capacity, there are consistent things that are often overlooked. These things may not be sexy or shiny objects, but they are foundational for many security programs to thrive and be successful.
1. Asset Management
Even though it’s a core activity in most control frameworks, getting asset management down is not typically a first-class priority. Assets also come in many shapes and sizes, depending on how detailed one wants to get, including:
- IP addresses
- Devices (servers, workstations, mobile, etc.)
- Code repositories
- Container images
- Cloud resources (accounts, specific deployed resources, etc.)
Getting asset management right, in a way where it can be maintained and scaled, will enable other critical security functions, such as vulnerability management. Knowing whom to engage, when to engage them, and how to engage them when something happens is a huge time saver.
2. Data Organization and Access
I’ve noticed a tendency in cybersecurity teams to jump right into emerging technology trends, such as machine learning, data analytics, or even SOAR automation. To make the most out of any data-driven products, your data needs to be in a good place. To me, that means breaking down the silos that often exist in cybersecurity and organizing data. It also entails making sure that the right people and tools can get to it. Analytics or other data-related efforts will be short-changed or potentially be downright misleading if given incomplete data.
3. Decision-Making Processes
Security teams make a lot of decisions. Oftentimes, the decision-making process is highly dependent on the personalities and biases of the individuals making them at a given time.
Investing time in creating repeatable frameworks to make big and small decisions can help replace that subjectivity with more of an objective position. Teams will likely find that, as they go through this process, there’s a lot of structure needed to facilitate more repeatable decision-making.
A prime example of this is deciding whether or not a given risk is acceptable or not. How do you measure that? What do you compare it to? Who sets the threshold of acceptability?
4. Opportunities to Reduce Cognitive Load
Security training often encourages those who take it to learn a wide range of hygiene-related skills. This can include how to detect phishing emails, create and manage secure passwords, what to do when you’re on public Wi-Fi, and more.
I’ve oftentimes found security teams quick to lean on their training as a means of protecting against the things referred to within training. However, there is a missing link. Security teams are actively seeking opportunities to make something easier for end users, so much that it no longer needs to be included in the training. Everyone has another job to do that isn’t security. The more we, as a discipline, can do to reduce the cognitive load on others and focus on the things that truly matter, the better.
5. Accessibility and Approachability of the Team
“Culture eats strategy for breakfast.” You’ve probably heard that quote from management consultant and author, Peter Drucker.
Security teams need to work through other teams to mitigate risk. Patching, writing secure code, doing background checks, onboarding and off-boarding, managing security requirements in contracts, and so much more are things typically driven by non-security teams.
I firmly believe that security leaders need to be constantly thinking about the culture and accessibility of their teams. People need to be able and willing to engage with the security team. At the same time, security teams need to be actively engaging other teams. Creating and maintaining engaging conversations is an important part of a security culture.
Concluding Thoughts
Security leaders have a very diverse set of factors to consider in their strategies. The list above is by no means exhaustive; it doesn’t even scratch the surface. These things are, however, oftentimes neglected in the planning and execution of a security program. When they are neglected, they can be a drain on all the other amazing things security teams may be working on — like running a race with hurdles in your path and an anchor tied to your waist.
Want more cybersecurity insights? Visit the Cybersecurity channel:
