Light Dark
October 1, 2018 By Kevin Beaver 3 min read
Security Services
CISO
Risk Management

As an independent consultant, I’ve had a unique opportunity to observe behaviors and trends in information security across industries. One thing that has stood out to me recently is that too many IT and security managers try to do everything in-house.

From technology implementations to audits and risk assessments to vulnerability scanning, a lot of chief information security officers (CISOs) are simply taking on too many responsibilities, and it’s leading to unnecessary security risks and incidents.

Why Are Security Managers Doing So Much?

This approach persists in many organizations regardless of the level of in-house expertise and security buy-in. Part of this is born out of budgetary constraints. As with most IT and security initiatives, dollars are limited, and they need to go to the greatest areas of need.

Internal politics also play a role. Often leadership is unconvinced that additional funds are necessary, and some executives even question the value of the IT department altogether. To be fair, we IT and security workers sometimes have a tendency to be overconfident and go about our business opaquely without adequately communicating across departments. This is a guaranteed recipe for self-sabotage.

Assess Less, Outsource More

Many security leaders stretch themselves too thin by micromanaging risk assessments, vulnerability and penetration testing, and audits. In many industries, and according to certain regulations, it is mandatory to hire an outside resource to do this work — but it’s just not happening in practice.

This is much less common in larger enterprises, but it does take place. For midsize companies, it’s much more prevalent and a true conflict of interest. Small businesses often know they must outsource security assessments. However, once they see the price tags of such services, they often decide they don’t need it after all.

I think it’s safe to say most people wouldn’t perform their own home inspection, nor would they perform their own CT scans or blood work to evaluate health issues. The tools, expertise and wisdom are just too hard to come by, and there’s too much on the line to try to do it all just to save a few bucks.

The same goes for security. I work with many administrators, developers and leaders in the IT and security space who are amazingly smart and great at what they do, but they’re not security experts. That won’t stop them from telling you about all the security initiatives they’re working on, however.

Evaluate Your Skill Sets

To spread security tasks more evenly among your staff, start by determining what you and your colleagues do well and tasks you know you shouldn’t be doing. Then, determine what you can handle in-house and what you absolutely must outsource.

You might have people you consider to be cloud experts, administrators or analysts who can truly stay on top of things, and internal penetration testers who are excellent at finding niche flaws in web applications or network hosts. But that doesn’t mean your security program has been properly implemented or your systems have been adequately scrutinized. Having a diverse set of internal security competencies doesn’t automatically translate to an effective and resilient security program.

Consider the following questions when evaluating your current security capabilities:

  1. Do you have all the information you need to make reasonable security decisions?
  2. Have you addressed all the critical areas of the enterprise, including security standards and policy enforcement, alerting and monitoring, and uncovering potential and confirmed vulnerabilities?
  3. What areas of security do you feel you have mastered?
  4. What areas of security do we know little or nothing about?
  5. What areas of security, if improved internally, are you confident you could master in a short period of time?

Admit You Have a Problem

Failing to realize that you can’t be everything to everyone is a surefire way to build a half-baked security program that’s ready for compromise. The last thing you need is to operate with blind confidence and then have your efforts derailed by a malicious insider or cybercriminal.

Maybe you just need to outsource tactical security issues, such as system monitoring and incident response, vulnerability and penetration testing, and endpoint security — all common areas of weakness. Whatever opportunities you identify, it’s a good way to free up internal resources and allow staff members to concentrate on more strategic areas of security.

Regardless of which side of the equation you’re on, you must decide how you’re going to approach security, design a plan and stick with it. Whether it’s you and your team or a group of outside resources, the only defensible approach to security is to go beyond checking boxes to ensure that your information risks are properly analyzed and addressed.

 |  |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Security Services
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

January 29, 2024

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature