Page 65 - Cyber Defense Magazine for August 2020
P. 65
Countless times I have seen an organization lament the ability to find high-end security experts to anchor
and properly design and implement high – believed – priority security controls. Often, when high-profile
experts are brought in, these controls become an ivory tower and a significant resource hog usurping
resources for less flashy, more commodity, but critical foundational controls. Unfortunately, much more
common and commodity skills are deemphasized, and sub optimally leveraged to build out the more
mundane, but foundational, security controls.
What has happened in the above case is an over reliance on high-end expertise (as saviours) to
compensate for lack of an effective threat and cost calibrated cyber security strategy and unbalanced
SecOps. This results in unexpectedly weak overall protection performance, which is why we see, again
and again, security breaches at high profile organizations that have lots of security budget, technology,
and experts.
It is analogous to many professional sports teams that overspend on a few superstars, to the detriment
of having enough budget to pay for supporting players. Because you win as a team, the superstar’s value
is frittered away when their skill is relied on to carry the team, rather than a cohesive team strategy. The
1980 Olympic hockey Miracle on Ice is a classic example of US teamwork triumphing over the collection
of Soviet superstars for the gold medal.
Effective security strategy follows a process like learning to crawl, then walk, then run. You must first be
able to control low sophistication threats (like accidents and mischief) before you try to protect against
hackers before you then should even consider trying to control espionage and nation states.
The reality is, high-end cyber security expertise is rarely required for the bulk of foundational SecOps
implementation and operation; rather, strong planning, threat, resource and cost calibration, project
management, and measurement of SecOps KPIs aligned to pragmatic protection goals is what is needed.
There is a time for high-end expertise – in initial strategic planning and then advanced tactics – but never
to cover up for lack of these.
Not enough budget
We often experience budget requests denied or reduced because of headcount unit costs, or quantity
requested – and sometimes location. How do we justify these costs in a pragmatic way?
The fundamental question to answer is: “What are we trying to achieve?” Because to answer that is to
control cost variables. And human resource costs vary by skills sophistication, with more advanced skills
being rarer and more expensive. You only need to pay for these when the time is right.
In the eyes of executive leadership – those that ultimately approve budgets - security teams today do an
inadequate job calibrating and articulating necessary levels, quantity, and location of specific skills.
Because the cost of these skills varies depending on the security wall dimensions introduced above,
security budgets are often uncalibrated with overspend and underspend. The conclusion drawn by many
Cyber Defense eMagazine – August 2020 Edition 65
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.