Log4j lesson: Cybersecurity defense isn’t just about tech

Aside from stolen data and money, perhaps the greatest impact of massive attacks like SolarWinds, Colonial Pipeline, and the current Log4j vulnerability, is that people are beginning to realize that cyber attacks and cyber damages are inevitable. But while breaches have always been as sure as death and taxes, we can reduce the frequency and success of disruptive events and control the degree to which they cause a negative impact.+

Despite what most vendors and pundits will tell you, the answer isn’t simply “buy more tools.” Though technology and tooling play a valuable role in protecting an organization, we don’t talk enough about the non-tech tactics businesses can take to improve their security stance. Based on my experience as a CISO and a former incident responder, I want to offer advice on practices I think IT and security teams should consider in order to reclaim control and take a more proactive approach to cybersecurity.

Best practices to consider

1. Build a diverse team

The security industry is largely homogenized. For example, women make up only 20% of the information security workforce. Women and minority groups are wildly under-represented in the field, and that needs to change not only to help relieve the skills shortage but also to create higher performing teams. You don’t want a group of people with similar backgrounds who think the same way. By bringing in a more diverse group of people, you’ll have more perspectives — people who will challenge your assumptions and introduce new ways of thinking. In a fast-moving, always-changing field like cybersecurity, that’s exactly what you need.

This work starts in the hiring process. Aim to foster a talent pipeline that’s diverse across gender, age, experience, education, geography, race, and orientation. And if you’re still clinging to the fear that prioritizing diversity could lead to “missing out” on more qualified candidates, it’s time to let go. There are plenty of incredibly qualified diverse candidates; you just need to put in the effort to find them.

Lastly, consider whether you need to hire security practitioners (those with existing experience or those with relevant degrees), or whether you can hire adaptable critical thinkers and provide the necessary “cyber” training.  Expanding your aperture for what is considered a “qualified” candidate, especially for more junior roles, will yield a far more diverse workforce.

2. Don’t be afraid to outsource

The skills gap in cybersecurity has been discussed for years, but unfortunately, it’s only becoming more acute. Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs by the end of 2021. I know that those in the infosec field are notoriously paranoid and distrustful — those traits are often beneficial in our line of work! — and want to keep as much work in-house as possible. But my advice, especially to smaller organizations, is to strongly consider bringing on a managed service provider to help bolster your team. Organizations can not allow themselves to be short-staffed in IT and security roles, and MSPs offer a quality complement to your existing team. The key is ensuring you’re doing excellent vetting, getting peer references, ensuring your MSP has a proven security practice, and still maintaining enough knowledgeable internal talent to exercise oversight for your outsourced services.

3. Train like you fight

Tooling is important, but nothing is more important than your people on the ground. Based on my experience as a security engineer and investigator earlier in my career and now as a leader, you need to train like you fight and fight like you train. The most critical skills you need to train for are incident response and crisis management. Red team/blue team, capture the flag (CTF), and tabletop exercises are excellent simulations to help you do this. In addition to testing the strength of your organization’s security capabilities, these exercises can tell you a lot about your team. Who is good under pressure? Who emerges as a leader? How does your team adapt and communicate when faced with obstacles? Perhaps most importantly where do you have gaps in your existing plans? From there, you can organize your team in a way that leaves you best prepared if and when a real attack takes place.

Assumptions to (re)consider

The three points above are practices that can help organizations improve their cybersecurity posture. Additionally, I believe it’s necessary to evolve some of our outdated cybersecurity assumptions, including the following tired tropes we need to retire this year.

• “Cybersecurity awareness” — Cybersecurity went mainstream last year. With the number of ransomware attacks on major companies, high profile nation-state attacks, and the emphasis the Biden administration has placed on cybersecurity, people are aware. That’s no longer the issue. The issue is that people are fatigued by the never-ending stream of breach news that instills a sense of hopelessness.

• “Security is everyone’s job” — This is true in many respects. Every single employee must be vigilant and play an active role in ensuring a more secure enterprise, but we do very little to help people contextualize their role in security. Most people don’t see themselves as targets because they’re not “important enough,” when in reality they might just be a convenient path to attack the ultimate victim. We also need more people whose sole job is cybersecurity. The skills shortage is an existential threat, and it should be a CEO and board priority to hire, recruit, and retain as many cybersecurity professionals as possible in 2022.

• “People are the weakest link” — People are attack entry points and do make mistakes (like clicking on phishing emails, which is unfortunately still too common), but this argument overlooks and de-emphasizes the many weaknesses and vulnerabilities in hardware and software. How many security updates has Zoom or Microsoft issued in the last month, for example? Answer: A lot. Employees are still our greatest protectors in many cases, so don’t disempower or shame them. Let’s compassionately provide employee cyber education training, and not turn a blind eye to other weak links in the chain.

The hypercompetitive cybersecurity industry often devolves into “silver bullet” promises that X or Y solution alone can “save your organization.” Technology is imperative to cybersecurity, and there’s incredible innovation being done by vendors that will help businesses protect their infrastructure, assets, employees, and customers. But remember that technology alone is insufficient. Building a proactive, effective cybersecurity playbook will always boil down to people and practices.

Chris Hallenbeck is Chief Information Security Officer for the Americas at Tanium. He previously worked at the U.S. Department of Homeland Security’s US-CERT, where he designed and built incident response capabilities and restructured the team’s focus toward strategic remediation with a goal of building more resilient organizations. Prior to that, he worked for RSA Security as a security engineer and with AOL/Time Warner on their global incident response team.