Page 65 - Cyber Defense Magazine for August 2020
P. 65

Countless times I have seen an organization lament the ability to find high-end security experts to anchor
            and properly design and implement high – believed – priority security controls.  Often, when high-profile
            experts are brought in, these controls become an ivory tower and a significant resource hog usurping
            resources for less flashy, more commodity, but critical foundational controls. Unfortunately, much more
            common and commodity skills are deemphasized, and sub optimally leveraged to build out the more
            mundane, but foundational, security controls.

            What  has  happened  in  the  above  case  is  an  over  reliance  on  high-end  expertise  (as  saviours)  to
            compensate for lack of an effective threat and cost calibrated cyber security strategy and unbalanced
            SecOps. This results in unexpectedly weak overall protection performance, which is why we see, again
            and again, security breaches at high profile organizations that have lots of security budget, technology,
            and experts.


            It is analogous to many professional sports teams that overspend on a few superstars, to the detriment
            of having enough budget to pay for supporting players. Because you win as a team, the superstar’s value
            is frittered away when their skill is relied on to carry the team, rather than a cohesive team strategy. The
            1980 Olympic hockey Miracle on Ice is a classic example of US teamwork triumphing over the collection
            of Soviet superstars for the gold medal.



            Effective security strategy follows a process like learning to crawl, then walk, then run. You must first be
            able to control low sophistication threats (like accidents and mischief) before you try to protect against
            hackers before you then should even consider trying to control espionage and nation states.

            The reality is, high-end cyber security expertise is rarely required for the bulk of foundational SecOps
            implementation  and  operation;  rather,  strong  planning,  threat,  resource  and  cost  calibration,  project
            management, and measurement of SecOps KPIs aligned to pragmatic protection goals is what is needed.
            There is a time for high-end expertise – in initial strategic planning and then advanced tactics – but never
            to cover up for lack of these.



            Not enough budget

            We often experience budget requests denied or reduced because of headcount unit costs, or quantity
            requested – and sometimes location. How do we justify these costs in a pragmatic way?

            The fundamental question to answer is: “What are we trying to achieve?” Because to answer that is to
            control cost variables. And human resource costs vary by skills sophistication, with more advanced skills
            being rarer and more expensive. You only need to pay for these when the time is right.

            In the eyes of executive leadership – those that ultimately approve budgets - security teams today do an
            inadequate  job  calibrating  and  articulating  necessary  levels,  quantity,  and  location  of  specific  skills.
            Because the cost of these skills varies depending on the security wall dimensions introduced above,
            security budgets are often uncalibrated with overspend and underspend. The conclusion drawn by many







            Cyber Defense eMagazine – August 2020 Edition                                                                                                                                                                                                                        65
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   60   61   62   63   64   65   66   67   68   69   70