Do You Trust in your Security Tools? Try Trust in your People!
I have heard from more and more information security executives and technical experts that security vendors are losing credibility. This is not just because they often do a poor job of training their sales/marketing teams how not to approach security professionals via email or business social sites like here on LinkedIn. The real problem is their so-called security solutions.
I have been to my fair share of vendor fairs and demos. I have heard one too many pitches that border on ridiculous. The problem as I see it, is that Information Security as a profession as fallen for the idea that tools solve their problems. In the vast realm of security, there is a vendor and a tool to solve any security problem any enterprise might need.
I am NOT saying these are helpful solutions, but rather, that security vendors have developed "solutions" for all of our perceived security ills. This is a fragmented market and more vendors solutions are entering the fray each month. One might ask, why are we so reliant on seeking tools to cure our security issues? Tools are useful, but only when wielded by people. People who can independently think, reason and solve problems.
I think it is reasonable to state that InfoSec has a co-dependent relationship with security vendors and their tools. This is NOT healthy, mind you and it shows. The state of security arguably worse today than 5 yrs ago. Attackers are not having a hard time getting past enterprise defenses. The conversation needs to change. Rather than vendors approaching us with solutions, we should be talking to our people about what problems we have and how to solve them. A vendor tool/application does not always need to be the solution.
I am not necessarily talking about building tools either. Lets get back to our greatest asset in any business, the people. People are what drive the business. It is people who manage the business and adapt it to stay competitive. It is the people of any given business that really know their model, their talent, their processes and problems. By removing people from the equation. By relegating them to just implement, configure and watch a tool, we have lost their attention and reduced their abilities to some extent.
I have seen Internal Bug Bounties and Internal Hack-a-Thons where employees showed up and helped the business see and solve problems it had or did not even know it had. People can do more than our "sacred" security tools. People can apply logic, reason and independent thinking in ways machines and tools cannot. AI and Machine learning are tools designed to make people's jobs easier. I am afraid they often do the opposite today. The data these tools collect, is so vast that it creates a true inability to really digest and act on it. We are creating burnout in our people. Not because we are building them up and training them to be awesome. No, we are burning them out trying to use tools that appear to be mostly ineffective for what we really need.
How many breaches do we read about where tools collected and even alerted people, but it was missed, swept away or too HARD. We buy and implement tools and solutions and then rely on them - to a fault.
Here is my suggestion. Expend more time and resource on your talent for one quarter. Do not buy or implement one more tool. Instead spend that quarter learning what your team hates about their job, about the tools you are using to manage security. Ask them what you can do better.
Do a full inventory of all of your security tools. Get each vendor to come in and map what the tool is doing vs what it could do. In other words - did we implement it right? Are we using it right? Collect this for all the vendor and in-house tools and compare them (use your EA's and PMO to help). Then map the data and logs from all these tools. do you have tools doing duplicative work? Do you have tools sending conflicting info? With all of the tools in play, do you even have full coverage?
I would then strongly suggest a pen-test against each of the tools in your environment? You might be surprised to find your favorite vendor solution stores or communicates data in the clear on your servers and across the network. or that it is trivial to access an app and turn off features you rely on. It is in your best interest to truly understand the risk each tool brings to your overall risk profile.
Back to the people. What did you learn from them? Did it surprise you? It shouldn't. We generally hire really smart, analytical people in security roles. If you think they do not have valuable insight, you should maybe start focusing more on your talent and invest in them. The rewards will be great.
What I am trying to explain is that we trust and invest too little with our talent. They are more important to the success of security and the business than any of your tools. If you believe what I am saying then stopping investing more trust and resources on your tools and focus more on your people.
At the end of the day, you will still have tools. But my hope is that you leverage the knowledge and experience of your people to have fewer tools that can do more. I have experienced first-hand investing in my teams and seeing incredible results. When you create safe environments for your teams to think independently and argue respectfully and that encourage innovation - watch out!
If you choose to focus on your people, you will be better prepared to see and stop intrusions or vulnerabilities inside your network. When you let people arrange the tools and processes to fit the need- you will be more agile and have more intimate knowledge of your environment- this is because people are allowed to connect the dots and speak up when they see things. We hear all this talk about shifting security to the left. Making security baked-in. In order to get security agile, responsive and imbedded early, you will need to engage your smart people to make this work efficiently and effectively.
The reality of course, is that you have to trust and give freedom before you will see improvement. Core to this actually working, is to have leadership on board and responsive. If your staff report something, but then someone higher up can stop it- you are going to fail. This must be a culture change that leadership will trust employees and act on concerns. If this cannot happen for some reason, then you need an anonymous submission system that goes to legal, audit or risk- who typically have executive presence and are obligated to investigate. I have seen it both ways. Eventually the data wins out and things begin to change.
Invest in people. Know your tools and use them wisely. Audit them annually so you know what you have, what gaps are present, etc. Then encourage your people to be independent thinkers who look at all of the security tools and help them make them response to their need. Do not be afraid to abandon a tool that is not effective for your org. Tools should be responsive to you and your need and your people are the ones who can tell good from bad. They live in the trenches with all of these vendor solution's every day.
Do not be afraid to build tools in-house either. Going back to early comments I made, people know the business. Security teams know or should know where gaps are. I was very supportive whenever my teams identified gaps in our security posture. I helped them refine their solutions, got support from where it was needed and then drove these fixes to get implemented. In the security realm, innovation is going to be a key advantage. Sometimes some simple internal scripts and routines can give more visibility than 10 vendor tools. Tools have limits. People are only limited if you do not give them freedom to do amazing things for you. One of these people and their insight may be your silver bullet when it really matters. Invest in them. Trust them. Motivate them. Reap the benefits.