Light Dark
October 1, 2018 By Kevin Beaver 3 min read
Security Services
CISO
Risk Management

As an independent consultant, I’ve had a unique opportunity to observe behaviors and trends in information security across industries. One thing that has stood out to me recently is that too many IT and security managers try to do everything in-house.

From technology implementations to audits and risk assessments to vulnerability scanning, a lot of chief information security officers (CISOs) are simply taking on too many responsibilities, and it’s leading to unnecessary security risks and incidents.

Why Are Security Managers Doing So Much?

This approach persists in many organizations regardless of the level of in-house expertise and security buy-in. Part of this is born out of budgetary constraints. As with most IT and security initiatives, dollars are limited, and they need to go to the greatest areas of need.

Internal politics also play a role. Often leadership is unconvinced that additional funds are necessary, and some executives even question the value of the IT department altogether. To be fair, we IT and security workers sometimes have a tendency to be overconfident and go about our business opaquely without adequately communicating across departments. This is a guaranteed recipe for self-sabotage.

Assess Less, Outsource More

Many security leaders stretch themselves too thin by micromanaging risk assessments, vulnerability and penetration testing, and audits. In many industries, and according to certain regulations, it is mandatory to hire an outside resource to do this work — but it’s just not happening in practice.

This is much less common in larger enterprises, but it does take place. For midsize companies, it’s much more prevalent and a true conflict of interest. Small businesses often know they must outsource security assessments. However, once they see the price tags of such services, they often decide they don’t need it after all.

I think it’s safe to say most people wouldn’t perform their own home inspection, nor would they perform their own CT scans or blood work to evaluate health issues. The tools, expertise and wisdom are just too hard to come by, and there’s too much on the line to try to do it all just to save a few bucks.

The same goes for security. I work with many administrators, developers and leaders in the IT and security space who are amazingly smart and great at what they do, but they’re not security experts. That won’t stop them from telling you about all the security initiatives they’re working on, however.

Evaluate Your Skill Sets

To spread security tasks more evenly among your staff, start by determining what you and your colleagues do well and tasks you know you shouldn’t be doing. Then, determine what you can handle in-house and what you absolutely must outsource.

You might have people you consider to be cloud experts, administrators or analysts who can truly stay on top of things, and internal penetration testers who are excellent at finding niche flaws in web applications or network hosts. But that doesn’t mean your security program has been properly implemented or your systems have been adequately scrutinized. Having a diverse set of internal security competencies doesn’t automatically translate to an effective and resilient security program.

Consider the following questions when evaluating your current security capabilities:

  1. Do you have all the information you need to make reasonable security decisions?
  2. Have you addressed all the critical areas of the enterprise, including security standards and policy enforcement, alerting and monitoring, and uncovering potential and confirmed vulnerabilities?
  3. What areas of security do you feel you have mastered?
  4. What areas of security do we know little or nothing about?
  5. What areas of security, if improved internally, are you confident you could master in a short period of time?

Admit You Have a Problem

Failing to realize that you can’t be everything to everyone is a surefire way to build a half-baked security program that’s ready for compromise. The last thing you need is to operate with blind confidence and then have your efforts derailed by a malicious insider or cybercriminal.

Maybe you just need to outsource tactical security issues, such as system monitoring and incident response, vulnerability and penetration testing, and endpoint security — all common areas of weakness. Whatever opportunities you identify, it’s a good way to free up internal resources and allow staff members to concentrate on more strategic areas of security.

Regardless of which side of the equation you’re on, you must decide how you’re going to approach security, design a plan and stick with it. Whether it’s you and your team or a group of outside resources, the only defensible approach to security is to go beyond checking boxes to ensure that your information risks are properly analyzed and addressed.

 |  |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Security Services
August 21, 2024

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

July 11, 2024

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

July 9, 2024

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature