This four-part What is Cybersecurity? series discusses the impact of cybersecurity to an organization and the three approaches which must be addressed to achieve cybersecurity nirvana. Yet cybersecurity nirvana is truly never attainable due to the always evolving nature of cybersecurity. The evolution of cybersecurity is directly attributable to one area: people.
In the first part of this blog series we discussed how cybersecurity started and has evolved from the early days of blocking one IP address at a time, to heuristic capabilities trying to stay even with new attacks and penetrations. The basic premise of cybersecurity was outlined with the cybersecurity triangle, with one side for each of the following areas: People, Process, and Technology. These areas interplay with each other to provide organizations with the best cybersecurity posture attainable.
The Organization and Cybersecurity Personnel
Why do we say “best cybersecurity posture attainable” and “people matter”? These are both statements which any cybersecurity professional would probably say “No kidding. What else is new? Same platitudes as always.” They would be correct, but these statements are used for a reason. I use these statements to highlight the fact no cybersecurity posture is ever perfect and the only way to fill in the gaps is by employing the proper cybersecurity personnel.
What is the proper cybersecurity personnel?
That would naturally be the next question in this exchange. However, there is no perfect answer. This is not what people want to hear, but it is true. Each organization has different business requirements requiring different cybersecurity professionals. There is not a one size fits all personnel package.
Each organization has a different, established IT department, whether it is a large amount of IT personnel or a small 3-4 person shop to handle all of the company’s IT needs. This is the first factor when assessing requirements for cybersecurity personnel. While the work done in cybersecurity is inherently different than what is performed by IT personnel, there are still linkages between the two which must be addressed when deciding on how to man a cybersecurity effort. The biggest friend a cybersecurity professional will have is a friendly IT department.
The existing IT department is an important role as they maintain and operate the network the cybersecurity professionals are charged with protecting. The IT department is more often than not the face of the organization’s network, whether it is through troubleshooting issues with the computers or the installation of new equipment, they are the people on the ground who can have the most influence on the security of the network from the ground up. While cybersecurity personnel are usually establishing the education programs and communications about how best to protect the network at the user level, they are the “man behind the curtain”, not necessarily well known by the organization.
So if the IT department is so important, why do you need cybersecurity people? Why not have the IT department perform those duties? That is a valid approach for an organization with limited resources, but for any organization who has a large customer base or proprietary information which requires a certain level of security, relying on the IT department to do the management, operation, and security of the network is foolhardy. There is a reason the security of the network has been split from the already existing IT functions. An independent security group provides the best protection, as the controls recommended can be made without any preconceived notion to how the network is built and run. This usually causes the greatest strain between the cybersecurity group and the IT department, but that is why a good relationship is critical to ensure the security of the network.
Why Do People Matter?
We have been discussing why cybersecurity personnel are important to an organization and how they fit in with the established IT department. However, this is not the real reason why cybersecurity people matter. They matter because the true nature of cybersecurity is a “one on one” fight with the people trying to compromise the network. The notion of “one on one” in cybersecurity is not a literal translation, but is used figuratively to show there are two sides to the conflict, each with a person on either side with their own experiences, strengths and weaknesses. This is why people matter.
The basic tenet of cybersecurity is the ability to stop the malicious people, or unintentional actions, from compromising the network. Some of the easiest ways to perform cybersecurity is to deploy a security device, whether an intrusion protection system or next-generation firewall, using the default settings and proprietary information provided by the vendor. This is a logical approach to cybersecurity, but will only work for a limited time before the information is obsolete, or worse the appliance is out dated and useless.
A good amount of the work done by cybersecurity professionals can also be done by identifying the processes and procedures for the IT department to perform. Even when you have cybersecurity professionals in your organization, this is a good approach to limit the amount of issues when personnel turnover happens. However, processes and procedures can only do so much for an organization and the reliance on the IT department to perform these functions usually results in the security actions coming last behind the IT department’s mandate to maintain and operate the network.
Cybersecurity is an environment where people are the key resource in a prolonged and effective security campaign. People make the difference between a security program which relies on a strict set of rules and a security program which is flexible and as current as possible to repel and defeat malicious actors.
Read Part 1 here.