Light Dark
October 1, 2018 By Kevin Beaver 3 min read
Security Services
CISO
Risk Management

As an independent consultant, I’ve had a unique opportunity to observe behaviors and trends in information security across industries. One thing that has stood out to me recently is that too many IT and security managers try to do everything in-house.

From technology implementations to audits and risk assessments to vulnerability scanning, a lot of chief information security officers (CISOs) are simply taking on too many responsibilities, and it’s leading to unnecessary security risks and incidents.

Why Are Security Managers Doing So Much?

This approach persists in many organizations regardless of the level of in-house expertise and security buy-in. Part of this is born out of budgetary constraints. As with most IT and security initiatives, dollars are limited, and they need to go to the greatest areas of need.

Internal politics also play a role. Often leadership is unconvinced that additional funds are necessary, and some executives even question the value of the IT department altogether. To be fair, we IT and security workers sometimes have a tendency to be overconfident and go about our business opaquely without adequately communicating across departments. This is a guaranteed recipe for self-sabotage.

Assess Less, Outsource More

Many security leaders stretch themselves too thin by micromanaging risk assessments, vulnerability and penetration testing, and audits. In many industries, and according to certain regulations, it is mandatory to hire an outside resource to do this work — but it’s just not happening in practice.

This is much less common in larger enterprises, but it does take place. For midsize companies, it’s much more prevalent and a true conflict of interest. Small businesses often know they must outsource security assessments. However, once they see the price tags of such services, they often decide they don’t need it after all.

I think it’s safe to say most people wouldn’t perform their own home inspection, nor would they perform their own CT scans or blood work to evaluate health issues. The tools, expertise and wisdom are just too hard to come by, and there’s too much on the line to try to do it all just to save a few bucks.

The same goes for security. I work with many administrators, developers and leaders in the IT and security space who are amazingly smart and great at what they do, but they’re not security experts. That won’t stop them from telling you about all the security initiatives they’re working on, however.

Evaluate Your Skill Sets

To spread security tasks more evenly among your staff, start by determining what you and your colleagues do well and tasks you know you shouldn’t be doing. Then, determine what you can handle in-house and what you absolutely must outsource.

You might have people you consider to be cloud experts, administrators or analysts who can truly stay on top of things, and internal penetration testers who are excellent at finding niche flaws in web applications or network hosts. But that doesn’t mean your security program has been properly implemented or your systems have been adequately scrutinized. Having a diverse set of internal security competencies doesn’t automatically translate to an effective and resilient security program.

Consider the following questions when evaluating your current security capabilities:

  1. Do you have all the information you need to make reasonable security decisions?
  2. Have you addressed all the critical areas of the enterprise, including security standards and policy enforcement, alerting and monitoring, and uncovering potential and confirmed vulnerabilities?
  3. What areas of security do you feel you have mastered?
  4. What areas of security do we know little or nothing about?
  5. What areas of security, if improved internally, are you confident you could master in a short period of time?

Admit You Have a Problem

Failing to realize that you can’t be everything to everyone is a surefire way to build a half-baked security program that’s ready for compromise. The last thing you need is to operate with blind confidence and then have your efforts derailed by a malicious insider or cybercriminal.

Maybe you just need to outsource tactical security issues, such as system monitoring and incident response, vulnerability and penetration testing, and endpoint security — all common areas of weakness. Whatever opportunities you identify, it’s a good way to free up internal resources and allow staff members to concentrate on more strategic areas of security.

Regardless of which side of the equation you’re on, you must decide how you’re going to approach security, design a plan and stick with it. Whether it’s you and your team or a group of outside resources, the only defensible approach to security is to go beyond checking boxes to ensure that your information risks are properly analyzed and addressed.

 |  |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Security Services
October 12, 2023

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

October 5, 2023

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature