Managing Security with a Lean Team

When the Covid-19 pandemic hit, countless businesses shifted to remote operations virtually overnight. That pushed many already lean IT security teams one step closer to the breaking point, forcing them to revisit how they operate.

Michael Madon, SVP & GM for Security Awareness and Threat Intelligence Products at Mimecast, frames the post-Covid challenge this way: “Security teams are under unprecedented stress, which has made them more vulnerable to attacks and breaches. At the same time, the number of attacks has skyrocketed. Individual employees facing disruptions in their own lives are craving ever more information, and attackers have seen that as a golden opportunity to double-down on web and phishing attacks.”

Recognizing that Covid-related disruptions are not going away anytime soon and that they will need to do more with less for the foreseeable future, CISOs and their teams have begun taking some or all of these six steps:

1) Above All, Promote Security Awareness Training

No matter what processes and technologies are employed, good cybersecurity depends first and foremost on the behavior of people. But while it has always been important to raise awareness and encourage good security habits throughout a company, rising threats and shrinking resources have made more effective employee security awareness training an urgent priority.

The good news is that as their work lives and personal lives grow increasingly intertwined, many employees have become more receptive to the cybersecurity message. They recognize that they can’t be careless about security at work without also endangering themselves and their families. But that doesn’t mean they know what to do—or will remember to do it—when the moment of truth arrives. For that, they need ongoing professional training, which—to be effective—is also entertaining and easy to consume.

2) Reduce Vendor Sprawl

With fewer resources, CISOs no longer have the bandwidth to manage scores of vendor relationships and assemble a potpourri of products into a coherent cybersecurity infrastructure. “It’s time to push yourself and your team to figure out how to reduce vendor sprawl, and get rid of point vendors wherever that’s possible,” says Madon.

Reinforcing this point, a May 2019 study by IDG found many companies deploying potentially redundant security tools, including VPNs, firewalls, network-access-control devices and cloud-access security brokers. The report noted that overlapping products were often deployed in response to new threats or due to decentralized management, and that nearly half of the companies surveyed were exploring ways to consolidate these tool sets—often through the use of secure-access platforms or suites.[1] In the wake of Covid-19, this has become an even higher priority.

3) Leverage the Cloud

Just as companies moved key business applications to the cloud to reduce their upfront costs and management complexity, many were already looking to do the same with their security infrastructure. Now the rise of the remote workforce has accelerated this trend.

With more users and devices operating outside the company’s traditional network perimeter, and more digital assets stored outside the security team’s traditional sphere of influence, cloud-based security capabilities such as uniform email filtering, web monitoring and traffic analysis help CISOs bring such a massively distributed infrastructure back under control.[2]

4) Automate (Carefully)

Automation is helping CISOs handle routine tasks such as maintaining infrastructure, providing new credentials and responding to alerts. They are learning that, judiciously applied, automated processes and machine learning can reduce human configuration errors and improve predictability, allowing them to rapidly scale their operations in response to new business requirements and reassign scarce security professionals to higher-value tasks.[3]

The emphasis is on “judicious.” If the wrong kind of processes are automated—issuing a steady drumbeat of demands for password resets, for example—employees tend to get resentful and careless. But freeing a security team from mundane chores offers many dividends, not the least of which is giving them more time to analyze new attack techniques intended to outsmart your automation.

5) Move Towards a Risk-Based Approach

Nearly every security team performs some tasks that can be de-emphasized or eliminated. For instance, Madon notes that many groups spend significant time and effort attempting to identify the precise source of an attack. But knowing which city in China an attack came from doesn’t necessarily help halt it or prevent the next one.

Moving to a risk-based approach helps a team re-prioritize and zero in on what really makes a difference. “Instead of thinking you have to protect every bit of infrastructure, ask: what’s most important, and how do I mitigate those risks most efficiently?” Madon advises.

6) Move Towards DevSecOps

By leveraging technologies such as microservices, containerization and public clouds, DevOps has accelerated the process of software delivery at many companies. The next step is to move towards DevSecOps, which brings security into the equation from the outset. This ensures that developers are building safer code from the get-go and that security testing is included in the development team’s continuous integration (CI) and continuous delivery (CD) pipelines.

A relatively new discipline, few companies have a robust DevSecOps process. But forward-looking CISOs are working to instill this into their organization’s development culture, hoping to inoculate the company’s code base from many common avenues of attack.

The Bottom Line

The post-Covid environment poses more cyber threats, but gives security teams fewer resources with which to counter them. In response, CISOs are seeking to streamline their processes and realign their priorities, while also making judicious use of new technologies.

[1] “What Happens When 'Tool Sprawl' Makes IT Security Operations Too Complex,” Security Magazine

[2] “What is Cloud Security? Cloud security defined, explained, and explored,” ForcePoint

[3] “Security Automation: Understanding the Risks and Benefits,” BrightlineIT