Good cybersecurity comes from focusing on the right things, but what are they?
“There is no wrong way into the security field and it’s never too late to make a career switch that will take you there,” says Mark Orlando, CTO at Raytheon Cyber Protection Solutions.
If you think that’s easy for him to say, consider his education and employment twists and turns before getting into technology and, ultimately, into cybersecurity: he was an art and design student, then a Marine, and later an UPS truck loader.
While doing that last job and hating it, he decided that there was no personal sacrifice too big to make a total life change. So, he spent a summer sleeping on his brother’s couch, consuming every Unix and TCP/IP book he could find, until he landed a junior system administrator job.
Several generous mentors and more than a few lucky breaks later, he moved into cyber defense as a security analyst and rose up through the ranks. During his tenure in cybersecurity, he has built and run security operations teams at the White House, the Pentagon, global managed security service providers, and various other organizations in the public and private sectors.
“One of the lessons I learned along the way is that all you really need to be successful in security is an inquisitive mind and a good attitude; technical skills, by comparison, are far easier to acquire,” he told Help Net Security.
“With that in mind, it’s also important that we uphold high standards in this field without being exclusionary, which is something we sometimes struggle with as a community.”
A change in mindset and approach
Those high standards should definitely also include avoiding FUD (fear, uncertainty and doubt) as one of the main sales tactics.
“Anyone who has spent a significant amount of time in this industry understands that you can make a positive impact and be successful without sacrificing job security – as long as technology keeps evolving, the threats and vulnerabilities will evolve along with it,” he noted.
Demonstrating your own value outside of a crisis is a challenge, but it’s a challenge that every infosec professional should do their best to overcome.
One aspect of this is changing the organizations’ mindset regarding security. “Our job is to enable organizations to create value securely and to quantify the risk of the alternative, not to put up obstacles and police our organization,” he added.
Another aspect is changing their own mindset, i.e. the tendency to look at cybersecurity as a problem that could be solved if only they could invest more in security products or hire more people. This usually leads to inordinate investment in niche problems and applying outdated solutions to new challenges.
For example, security teams end up focusing more on defending against zero-day exploits instead of hardening and managing network infrastructure, or on adding more SOC analysts and 24/7 coverage instead of embedding security resources in strategic initiatives like software development and cloud migration.
“I see my job as helping others make smart long-term investments and focus on the right things, even if those things aren’t the most exciting,” he says. In his opinion, building defensible networks and educating users can be just as exciting if it frustrates one’s adversaries.
Avoiding pitfalls when building a security strategy
There are a couple of things IT security leaders should keep in mind when building a security strategy suitable for their organization: they should tie it to business needs and they should not make it too ambitious.
“First, you need to understand how the organization creates value: is it shipping widgets, providing a public service, managing data, or all of the above? If you can tie those things to the systems, processes, and users that support them, you can start building a threat model and better understand what you’re trying to defend (and defend against). This means understanding not only how the business works, but the roles and responsibilities of the leadership whose support you’ll need to execute your strategy,” Orlando explains.
At the same time, they should avoid trying to effect many initiatives at once.
“Trying to do everything at once is a good way to do a lot of things poorly,” he opines. “A well-executed strategy is iterative with realistic goals that build upon each other. For example, a mature incident response plan starts with good visibility and repeatable processes. Showing success in these areas and hard data to justify your efforts can help you get buy-in from management and other groups that are key to the incident response process.”
Future challenges for the infosec industry
Same as all other industries, the infosec industry is growing, shifting and changing, and so is the threat landscape. In some threat spaces, the industry is struggling to keep pace.
“Election security and critical infrastructure are two examples of vast, complicated processes and infrastructures where we’re arguably well behind the power curve in talking about security,” Orlando pointed out.
“These won’t be the last ‘new’ security conversations we’ll have to have, and the only way we’ll be able to scale to these new challenges is by sharing our knowledge, avoiding fear-mongering, and talking in plain English about these problems.”
He also expects that – after years of over-investment in security tools and despite security spending increasing year over year – a course correction is in the cards.
“We can’t keep relying on niche skill sets and highly complex platforms to do everything we need to do, and demand will drive security technology to be more like consumer apps and less like enterprise software in terms of usability and demonstrated value,” he believes.
“There’s going to be a reckoning for organizations who have poured millions into monolithic security applications with little operational value to show for it, and those organizations will be at a disadvantage to those who have adopted more modular, agile toolsets that can be evaluated and switched out more easily. We can also expect more competition for those security dollars as business contend with more privacy and security regulations and look to reduce exposure through cyber insurance and external service providers.”