Small and mid-sized organizations face the same significant cybersecurity threats that plague large enterprises. When I was CIO of a large financial services company, I had immense support from my security team, applying significant budgets to reduce cybersecurity risk. Smaller organizations address similar risks but have significantly fewer resources.
A simple insight from the financial services industry can be helpful. Security teams have skills in technology, but their primary purpose is not technical. Security teams are risk advisers.
Financial service companies manage balance sheet risk, investment risk and a spectrum of operational risks using robust methods mandated by regulators. It’s no surprise they were quick to see information security as a risk management practice and security teams as risk advisers.
In contrast, a decade or two ago, management expected technology teams to manage cybersecurity. Security was an IT problem. Management assumed IT would implement great technologies and prevent breaches. If you were breached, which was rare 10 to 20 years ago, you fired your CISO if you had one — or the CIO or CTO if you didn’t — and hired a new team that would solve the technology problem.
As a result, management would add layers of security products, appliances and systems that were piled onto technology stacks. In recent years, more was piled on with the promise of machine learning and artificial intelligence. Each layer added to the complexity, requiring unique and often arcane skill sets and increasing the burden of the IT team. Meanwhile, overburdened engineers were given the security hat to wear and were left holding a bag of gadgets with little context or strategy.
A frenetic IT team misses deliverables as they are interrupted with new projects. Further burdened with monitoring for breaches, the IT team suffers alert fatigue as they chase false positives. The organization has inadequate monitoring on weekdays and no monitoring on nights and weekends. The security program matures in fits and starts while risk management is abandoned in the pursuit of more technology and IT staff.
With today’s headlines, we know this perspective is absurd. The problem is not a technology problem. Organizations spend over $100 billion a year on security solutions, but the headlines persist. The view that security is an IT problem is outdated.
Security As Risk Management
Today, cybersecurity risk is a key focus for upper management, the board of directors and regulators. The risk of a breach cannot be eliminated. Organizations must model the risk and right-size budgets to reduce, mitigate and transfer risk that cannot be accepted. This is an imperfect science, but it supports an intelligent conversation about trade-offs and risk tolerance.
As security teams become risk advisers, our perspective on resources changes. The human aspect of the work becomes undeniable.
- Experienced practitioners are required to identify the risk inherent in systems, policies and practices. They assess policies and practices against standards and regulations. Mature management practices are applied to measure the inherent business risk of any gaps and, if necessary, establish a prioritized roadmap to improve the security posture over time.
- Competent security experts perform technical testing to identify potentially overlooked risks in applications and systems.
- Security teams perform compliance and hygiene tasks to ensure the basics are covered.
- Security analysts monitor for emerging risks, performing 24/7 detection and response. This work is potentially the most human-intensive, but risk management mandates it. While technologies may alert to anomalous activity, humans perform the investigations to eliminate false positives and design response actions. A mature organization with significant resources and budget may staff two security operations centers 24/7 by hiring 10 to 20 people.
Viewed this way, security is less of a technology problem and more of a people and an expertise problem.
Furthermore, the security team acting as a risk adviser is not an IT team. They are not performing network engineering. They are not sysadmins. They are not doing desktop support. Their role as risk adviser requires visibility into systems, policies and practices, but they do not implement their recommendations. If an organization facilitates risk management activities rather than chasing new security technologies, they can shift to a new paradigm and improved progress. While the emerging road map will inevitably involve technology projects, the projects can be prioritized by their risk reduction value and realistically right-sized against the delivery capability of the IT team.
In the potential case that important projects exceed delivery capabilities, the risk management framework is, in fact, a mandatory tool for balancing budgets and resources against risk appetite.
In summary, a frantic pursuit of security technologies absent a risk management framework will fail. On the other hand, an established risk management framework can enable small teams to maximize their results and minimize risk with small budgets.
Importantly, a smaller organization does not need full-time resources to act as risk advisers. The risk management activities can be facilitated on limited budgets and often be outsourced to third parties that solve the human talent problem through programmatic access to security talent performing well-defined bodies of work.
Smaller organizations should look for third parties that can bring not only people but also dedicated technology that assists in providing visibility to customer systems. This can allow security functions like detection and response to be wholly outsourced.
Indeed, look for third parties that use technology to holistically amplify the capabilities of their people rather than promising technology that replaces people. Human expertise at scale can be provided at the budget equivalent of one or two full-time employees, and the full security function could conceivably be outsourced.
The key to making this work for small budgets is a security partner that can act as a holistic risk adviser rather than a collage of venture-backed point solutions. A large enterprise can afford to purchase and integrate numerous point solutions precisely because large enterprises have the security teams to select, integrated, tune and monitor those systems. Smaller organizations need holistic security talent that can provide integrated, timely and continuous security risk advice.