An Open Letter to Security Managers: Stop Trying to Do It All

As an independent consultant, I’ve had a unique opportunity to observe behaviors and trends in information security across industries. One thing that has stood out to me recently is that too many IT and security managers try to do everything in-house.

From technology implementations to audits and risk assessments to vulnerability scanning, a lot of chief information security officers (CISOs) are simply taking on too many responsibilities, and it’s leading to unnecessary security risks and incidents.

Why Are Security Managers Doing So Much?

This approach persists in many organizations regardless of the level of in-house expertise and security buy-in. Part of this is born out of budgetary constraints. As with most IT and security initiatives, dollars are limited, and they need to go to the greatest areas of need.

Internal politics also play a role. Often leadership is unconvinced that additional funds are necessary, and some executives even question the value of the IT department altogether. To be fair, we IT and security workers sometimes have a tendency to be overconfident and go about our business opaquely without adequately communicating across departments. This is a guaranteed recipe for self-sabotage.

Assess Less, Outsource More

Many security leaders stretch themselves too thin by micromanaging risk assessments, vulnerability and penetration testing, and audits. In many industries, and according to certain regulations, it is mandatory to hire an outside resource to do this work — but it’s just not happening in practice.

This is much less common in larger enterprises, but it does take place. For midsize companies, it’s much more prevalent and a true conflict of interest. Small businesses often know they must outsource security assessments. However, once they see the price tags of such services, they often decide they don’t need it after all.

I think it’s safe to say most people wouldn’t perform their own home inspection, nor would they perform their own CT scans or blood work to evaluate health issues. The tools, expertise and wisdom are just too hard to come by, and there’s too much on the line to try to do it all just to save a few bucks.

The same goes for security. I work with many administrators, developers and leaders in the IT and security space who are amazingly smart and great at what they do, but they’re not security experts. That won’t stop them from telling you about all the security initiatives they’re working on, however.

Evaluate Your Skill Sets

To spread security tasks more evenly among your staff, start by determining what you and your colleagues do well and tasks you know you shouldn’t be doing. Then, determine what you can handle in-house and what you absolutely must outsource.

You might have people you consider to be cloud experts, administrators or analysts who can truly stay on top of things, and internal penetration testers who are excellent at finding niche flaws in web applications or network hosts. But that doesn’t mean your security program has been properly implemented or your systems have been adequately scrutinized. Having a diverse set of internal security competencies doesn’t automatically translate to an effective and resilient security program.

Consider the following questions when evaluating your current security capabilities:

  1. Do you have all the information you need to make reasonable security decisions?
  2. Have you addressed all the critical areas of the enterprise, including security standards and policy enforcement, alerting and monitoring, and uncovering potential and confirmed vulnerabilities?
  3. What areas of security do you feel you have mastered?
  4. What areas of security do we know little or nothing about?
  5. What areas of security, if improved internally, are you confident you could master in a short period of time?

Admit You Have a Problem

Failing to realize that you can’t be everything to everyone is a surefire way to build a half-baked security program that’s ready for compromise. The last thing you need is to operate with blind confidence and then have your efforts derailed by a malicious insider or cybercriminal.

Maybe you just need to outsource tactical security issues, such as system monitoring and incident response, vulnerability and penetration testing, and endpoint security — all common areas of weakness. Whatever opportunities you identify, it’s a good way to free up internal resources and allow staff members to concentrate on more strategic areas of security.

Regardless of which side of the equation you’re on, you must decide how you’re going to approach security, design a plan and stick with it. Whether it’s you and your team or a group of outside resources, the only defensible approach to security is to go beyond checking boxes to ensure that your information risks are properly analyzed and addressed.

Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle...