Editor's note: The following is a guest article from Rich Reybok, senior director of software engineering at ServiceNow.
Let’s be honest: Security is a rough industry to be in.
In-house and third-party cybersecurity experts have a ton of responsibilities and work in a hard-to-understand field with real-world consequences. Outsiders, even those within the same organization, don't necessarily know what security teams do. When everything goes right, teams are invisible. When something goes wrong, security professionals are the ones who are criticized.
It's fair to say, in a lot of ways, this job sucks — even though it's great in so many ways.
Because security teams are tasked with keeping data, customers and organizations secure, people sometimes misunderstand what they do. But when security partners with these stakeholders, great things happen.
A Pack of Sheep Surrounded by Wolves
State-sponsored attacks, ransomware and targeted misinformation are all tools of war in an information age. And all organizations, no matter what field they are in, hold data that facilitates it.
Many of these attacks aren't even reported by the press or known by outsiders. According to the Ponemon Institute and IBM Security's 2017 Cost of Data Breach Study, the average time it takes to identify a data breach is 191 days.
The security industry can be the proverbial pack of sheep surrounded by wolves. That's why security professionals often stick together across organizations. A financial firm's security officer at a rival company may tell you they encountered a weird virus and offer to send samples.
The balance of power in the equation is so off when protecting data; everything security professionals can do to help each other helps the good guys. By working with peers — either informally or through Information Sharing Analysis Organizations (ISAOs) or Information Sharing and Analysis Centers (ISACs), security teams can all do a better job of defending organizations. Even if an organization is hacked, sharing what happened can be an early warning system for someone else.
If security professionals don't stick together, things can go wrong quickly.
For security teams, a big part of the challenge is workflow management. It's difficult to allocate resources between detection and operational capabilities and to find the right blend of defensive and offensive posturing.
There are too many incidents to log and respond to and not enough time. Signals get lost in the noise, or — worse yet — in misdirection. A DDoS attack can overwhelm detection tools and defensive resources; in-house teams respond to it while other attacks succeed.
According to Verizon's 2017 Data Breach Investigations Report, 81% of the breaches the telecom giant investigated involved stolen and/or weak passwords, and 66% of malware encountered was installed via malicious email attachments. Defending against both involves ruthless prioritization of tasks, making sense of data and automating time-consuming but uncomplicated tasks.
This requires internal talent, who might not be who you expect. There has been a trend of security organizations hiring software engineers and then training them on security. This is highly beneficial and builds internal resilience.
Another important step in mitigating task overload is rationalizing the tools you work with. More isn't necessarily better when it comes to events and workflow. Before adding new security tools, consider the training needed to make the team effective in its use.
Getting in Front of the Challenge
At the end of the day, people will most likely open email attachments from strangers, choose obvious passwords or use insecure communications unless they are prevented from doing so or if technology paradigms change. Accepting that this will keep happening allows us to make organizations a little more secure.
Protecting systems doesn't stop at the border firewall. All enterprises live in a bidirectional data access world. That means that third parties have access to my sensitive data, such as customer records and intellectual property, and I likely have access to theirs. Take this into account when doing risk assessment. Establishing continuous monitoring protocols with anyone given elevated access is simply good sense.
If a target has robust defenses, or is more hassle to infiltrate than it's worth, odds are the bad guys will move on to something else. Little things like obsessively tracking software patches, detecting irregular login patterns and making it easy to report phishing attacks go a long way.
This is even more true in a rapidly changing work environment. Multicloud environments mean it's easier to pass the buck on blame for attacks. The rise of BYOD and shadow IT mean that security and IT have to be in constant communication and that new attack vectors show up every day.
But with the right steps, this job doesn't have to suck. Keep the lines of communication open with fellow security leaders, find signals and anomalies that matter in the endless data noise and advocate for security experts everywhere. Getting in front of the challenge makes all the difference.