The First Line of Defense: IT Personnel
The year so far has been a particularly stressful one for enterprise IT staff. Early in the year, concerns over data breaches and point of sale POS malware gave retailers something to worry about.
The long-simmering headache of Windows XP migration came to a head when support for the venerable OS ended in April. That would normally have been the security headline of the month, but a vulnerability in OpenSSL known as Heartbleed reared its less than welcome head.
All in all, then, IT security personnel can be a bit excused if they’re tired and just a bit weary of patching holes as they happen. Hopefully, these teams are able to properly recuperate from these rather stressful times, as the importance of trained and empowered security personnel cannot be underestimated.
While the role of technical solutions gets more attention (and, frequently, funding), these solutions are worthless without trained personnel that know how to use them. Dealing with today’s attack environment is not just about using more sophisticated tools; it is also about trained IT security people making decisions, with the best information provided by their tools as well as threat intelligence at their disposal.
Unfortunately in many organizations, these teams get the short shrift and are viewed as nothing more than a cost center. This sounds good until a major breach or other security failure happens – which ends up costing an organization far more.
So how exactly can organizations take care of their information security personnel? Here are four areas where organizations can help.
Give them the tools they need – and let them experiment, too.
First of all, the information security teams must have the resources they need. This can include hardware, software, and headcount. Teams should be able to do their job without having to worry that they don’t have the resources to do it. Yes, this can be expensive, but: so are attacks and data breaches.
In addition, organizations should let teams have some leeway to experiment. If they want to try new tools, or use new methods to gather or analyze threat information – let them experiment. These ideas don’t have to be production quality right out of the gate, all that’s needed is a proof of concept to check if the idea will work.
Let them learn and make mistakes.
New threats and problems are always emerging. As we just saw in rather lurid detail this year, things we thought were secure sometimes aren’t. Learning has to be a key part of a team’s goals. in order to stay in front of the threats encountered in day-to-say usage.
Information about threats is not always precise; things that appear to be threats may turn out to be completely harmless, and the reverse is also true. Mistakes happen; trying to reduce them is obviously desirable, but it shouldn’t turn your security team into an overcautious group that is afraid of pointing out an obvious attack.
Ensure data is freely accessible
This ties in with our first statement. If an organization really wants their teams to experiment, it should ensure that its logs and databases should be in easily accessible and open formats. All files being archived should be stored in plain text files such as comma separated values (CSV) rather than a proprietary binary format. Plain text can be easily processed by many viewers and scripting languages.
Why is this important? This allows for searches to be performed in a relatively quick and efficient manner. This provides an organization security professionals the best possible access to potential threat information. Depending on the information an organization logs and archives, it also offers intriguing possibilities for data correlation. The available threat intelligence to an organization’s defenders may improve as a result.
Listen to them.
In many organizations the security professionals are not listened to, either by other IT staff or by upper management. That is a mistake, as security professionals know what they’re talking about and can provide helpful insights if asked. It’s true for any profession, but in the security field it is of particular importance that its practitioners be engaged and considered by the rest of the organization.
All in all, the lesson is simple: the foundation of any organization’s security posture is the individuals actually putting that posture into force on the ground. To ensure the success of any policies, the individuals implementing them must receive the proper support and resources necessary to do their job.
Are you an information security professional? Let us know what you think in the comments.