Lean security: How small cybersecurity teams perform at Fortune 2000 levels

There’s a widespread misconception that small IT security teams, or “lean sec teams”, cannot protect their organizations as comprehensively as bigger security teams who enjoy rich portfolios of countless security layers, vendors, and tools.

It’s an easy enough misunderstanding to have. According to the ISACA State of Cybersecurity 2021 report, 61% of cybersecurity professionals report needing more security staff at their organizations, and 68% of organizations that experienced more cyberattacks over the last year indicate they are understaffed to some degree. Perceiving a correlation between an incomplete roster and greater vulnerability to cyber attacks isn’t unreasonable.

However, simply adding more staff is not always an option, and even if it were, it’s not necessarily a panacea.

How do CISOs and leaders of lean security teams at small- and mid-sized organizations get by when they face the same threats as major corporations but have only a fraction of the cybersecurity resources at hand?

CISOs of lean sec teams have long contended with staff and resource limitations, and they’ve cultivated a knack for pragmatic creativity. Lean sec teams thrive because of their pluckiness, resourcefulness, and agility in doing more with less.

Effective lean security embraces automation

Today’s lean security leaders face different challenges than leaders with more resources, but challenges do not equate to shortcomings. Many of the leanest security teams today protect and secure their organizations at the level of the most tool-laden Fortune 2000 security teams.

A less practiced IT leader’s instinct might be to throw everything possible at the security stack to ensure coverage is extensive and comprehensive. But beyond budget constraints, a small cybersecurity team can be stretched only so thin; adding layer after layer of security solutions results in exhaustive manual workloads, limited visibility, and frantic scrambling to remediate.

Savvy CISOs of lean security teams use automation, rather than bloated cybersecurity portfolios, to set their teams (and their organizations) up for success. Arming lean security with the ability to delegate by way of automation is the surest way to relieve the team of the complex, arduous, manual heavy lifting they would need to do otherwise.

Keeping ahead of cyber criminals without wearing down the team

Preventing breaches and attacks has long been a goal of cybersecurity, but for lean teams, getting ahead of cybercriminals has historically been very difficult. Whether they were relying on signature-based tech that couldn’t detect novel types of threats or flag zero-day exploits in time or they lacked the staff to monitor the org’s security posture and maintain updates, comprehensive prevention has been elusive for them.

Detection, too, has proved difficult: the alert avalanche is real, and lean sec functions cannot feasibly always monitor every attack vector. Layer on the lack of ability to identify novel and increasingly sophisticated tactics, and this is how threats – such as advanced persistent threats – can be planted and left to blossom unbeknownst to the organization.

CISOs of lean security teams always inform their priorities with the lessons learned from their historic weak spots. With a holistic view of past challenges, it’s an easy call to take automation-forward approaches to prevention and detection, enhanced visibility, security event playbooks and continuous monitoring of their attack surfaces.

Get by with a little intel from your stack

Efforts to correlate signals to anticipate and understand cyber attacks have long been either prohibitively expensive for budgetarily lean teams or placed on the back burner due to more pressing threats that required immediate attention. Endeavors to interpret signals for actionable and timely intelligence about looming threats were often hindered by the overwhelming volume of events, alerts, and false alarms.

Similarly, even the savviest lean sec teams of the past could only do their best to minimize the damage of an attack and then move on. Without enough resources, they had no other choice. But moving on from an event without conducting a deep forensic dive to get to the bottom of why, how, and what occurred is a crucial component of preventing APT-type attacks.

CISOs of today’s lean security teams rely on automation to delegate the responsibility of threat intelligence. They use automation to enable the identification, investigation, and analysis of signals and to glean actionable intelligence from their telemetry. When modern lean sec teams offload the heavy lift of conducting investigations and automate how clues are gathered, they gain actionable intelligence without exhausting themselves. Automated investigation of telemetry can determine the root cause of a threat, identify the scope of the attack, remediate (or direct the team how to remediate) those attack components, then produce insights for the team to digest and learn from.

Improve remediation efforts by letting automation assist

Remediation efforts can only be as comprehensive as the understanding of an attack. And fast, effective remediation has, in the past, been stymied by challenges to monitor, detect and then draw insights from security events. Lean security teams have struggled with all-hands-on-deck scenarios requiring significant manual intervention due to their limited roster and oftentimes, the depth of expertise they could direct at the problem.

Today’s lean sec teams, however, are far less challenged by rushed and partial investigations. Automated remediation enables lean sec functions to set rules and policies that identify and apply an immediate solution to an attack, without requiring manual intervention from the security team.

These automated actions include gathering threat intelligence that will inform the countermeasures and supply actionable insights about correlating signals to anticipate future events. Automating response and remediation, however, doesn’t mean all-hands-off all the time! Even if a lean sec function has scaled back the degree of manual intervention, they still set the policies that determine which alerts are urgent and flagged to them and which information is funneled to or through the team.

Lean cyber security is not “lite”

The days of “lean” referring to everything a security team doesn’t have – disposable budget, staff, expertise, advanced capabilities – are over.

Today, “lean” means spry teams that show athleticism in the face of attacks, operate using cybersecurity portfolios with the fat trimmed, inform their every move with exceptional threat intelligence, and defend their organizations with integrated series of smart defenses.