The Many ‘Arms’ Of Today’s Cyber Security Team: An Inside Look

An influx of hackers hovering around enterprise networks inherently widens the attack surface. Their presence also demands a diligent and ensconced security unit.

Today, hacker sophistication has entered a new stratum, meaning chief information security officers (CISO) and the like must plan (along with test, share information and bolster defense) accordingly. As such, their workloads have increased. There are now numerous entryways into an organization, and security teams are charged with the patrol of sensitive information. They must also seal network gaps so hackers cannot exfiltrate “crown-jewel” data.

These tasks stack up pretty quickly in an age where security is 24/7, much like the news cycle that covers it. So, part of the oversight also includes reputation management – meaning proper notification protocols should there be a breach, or transparent dealings with affected clients/customers.

Cyber Responsibilities

Yet, as the duties skyrocket, who is handling the various functions of cyber in the SOC (security operations center)? Today’s CISO might be spread far too thin. Those who report to the CISO have specific duties and specializations, mitigating threats as they emerge through the many vectors. Also, there exists a crippling talent crisis in the space, leaving organizations in both public- and private-sector organizations/agencies understaffed.

Furthermore, in a recent Cyber Security Hub article, we spoke with Michael Wons, Chief Technology Officer (CTO), SAI Global. Wons said that “there is a clear understanding of some levels of security and risk, however, it is not truly understood (across the business).”

See Related: Security Analysts Becoming 'Data-Mining Gurus'? Q&A With Bay Dynamics' Ryan Stolte

The CTO added that lines of business (LOB) and overall corporate executives are busy and the issue of technology is “essentially a nuisance that must be dealt with.”

That is to say that a part of the security team’s duty, then, becomes corporate communication (persuasion?) up the proverbial ladder, as well as awareness campaigns for the employee base.

So how can a CISO divvy their time accordingly, to handle these multifaceted threats? Does the security team splinter off into different branches which preside over specific functions? Here, we take a look at today’s security “structure.”

Environment Adaptation

To get his take on this, we spoke to Bob Turner, a higher education CISO.

“Any structure that acknowledges the major domains of cyber security is useful,” Turner told the Cyber Security Hub. “I chose to organize my team into functions like Governance, Risk Management and Compliance (GRC), Security Operations (either a formal SOC or SOC functions), Security Architecture/Security Tools, Security Metrics and Analytics, and Education/Awareness/Training.

“If IT policy falls under the Security Team, that would be another ‘domain.’ Areas that may be specialized and not found in many organizations include Threat Hunting, Forensics, or Audit,” Turner continued.

Because of the dynamic nature of cyber security – adapting to threats as they emerge – will this format change in the near future, though?

Turner said, “The changes will be driven by how well the individual organizations adapt to the current and future threats. The ‘domains’ may change slightly and may become ‘plug n’ play’ depending on how your team functions in an ever-changing threat environment.”

He continued: “Examples might include having a Disaster Recovery team in case a ransomware attack occurs; developing a Crisis Communications team if multiple attacks occur – (and) of course this is dependent on the industry or diversity in the corporate portfolio of services.”

See Related: Catch Up Or 'Swat Flies': Cyber Security Experts Touts AI, ML

Do these layouts profoundly influence larger organizations? For those who adopt similar models, does their security efficacy automatically increase?

The higher education CISO told the Cyber Security Hub: “Larger businesses with the resources to invest heavily in cyber security gain diversity by volume. My experience shows that moving skilled people between teams as the situation dictates does improve security efficacy. It also helps (when) organizations…split inherently security-oriented functions like Identity and Access Management (IAM) between security and technology teams.”

Turner continued, “One side effect of larger and more diverse teams is ‘communication planning’ challenges. The corporate leaders, managers and users need to ensure there are skilled communications staff and media-savvy (including social media) managers available to spread the right word at the right time.”

‘Imitating’ Threat Actors

In a recent security forum, Small Business Administration (SBA) CISO, Beau Houser, echoed many of these sentiments. According to Fed Scoop, Houser said that a threat-based cyber security model works best with a “multidisciplinary team” that contains not only IT experts but those with other specialized skills (analysts). These are folks who can mimic would-be adversaries and use their methods to test systems.

Houser said SBA boasts a cyber-threat intel team comprised of intel analysts. The CISO said on a panel that his team includes penetration testers, cyber-threat hunters and forensics. He can then prompt pen testers to imitate cyber-criminals against high-value systems.

Houser said this approach (coupled with 24/7 monitoring) can reveal if the SOC has the “right visibility” and “the right triggers in place.”

No matter the structure of a specific team, it’s easy to generalize in this case and say that cyber security demands diversified professionals who can specialize and contribute to an organization’s wider security efforts. While that shape continues to change, the board and C-Suite will continue to depend on this squadron.

Be Sure To Check Out: LOB, Security Teams Must Be On Same Page For Cyber Success