Page 251 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 251
heavily in cross-training security talent, even if you don’t bring those people into your team directly. Rather
than hiring ten new application security analysts, it would be really intelligent to cross-train anyone in the
development organization who is interested in security and give them opportunities to be an extension of
your team.
Outsource sensibly
To avoid the outsourcing disaster that started this whole mess, be careful when you’re outsourcing your
security. There are some things that are fairly easy to outsource – such as detection and response work.
You can’t outsource your entire SOC, but you sure can (and should) be outsourcing key components that
providers can scale, staff, and equip better than you can.
With that in mind, a load-sharing model is a brilliant approach if you can manage it well. Even if your
company has an in-house SOC, off-loading key functions to a third-party SOC provider is a great way to
keep your team focused on high-value activities like investigating and remediating threats rather than
chasing alerts in the SIEM. I call this “right-sourcing” because in-house staff focus on mission-critical
functions such as helping the company design and build security products, partnering with the business
on projects, or keeping careful watch of your third-party risk program. Meanwhile, an outsourced SOC
performs detection and response at scale with all of the functions and necessary data you can’t afford to
buy for yourself. Right-sourcing is the modern answer to running a hybrid security team that is part cross-
trained staff on other IT teams, part in-house expertise, and part outsourced scalable talent.
Modernize your technology stack
It’s a dirty little secret in our industry that one of the things holding us back from having efficient security
teams is the closet full of ancient security tools in use that take so much time and effort because none of
them work well together. Modernize your technology stack, throw out things that don’t interoperate well,
and develop integrations so you can automate and do more advanced functions with fewer humans that
are laser-focused on high-value activities. I should add here that you should probably think about “as-a-
Service” as much as possible. Buying technology you install in-house and manage and maintain on your
own is yesterday. Security technologies need to keep up with the modern paradigms and as-a-Service is
one modern way to give your company scale and added support without hiring more people.
Conclusion
While there is a talent problem today, it’s both our own doing, and not exactly what you’re being led to
believe. Even if five million new security professionals showed up tomorrow ready for work, we’d still
have a “talent gap” because we’re thinking about security in 2024 with ideas from the 1990s. This problem
isn’t going to solve itself, nor will any number of expensive boot camps churn out the talent we need. This
issue is going to take a decade or more to resolve – and that’s if we start the new strategy now.
251