Security / October 8, 2017

Cybersecurity in the Workplace: Adapt or Go the Way of the Dodo

Adaptation is one of the fundamental drivers of evolutionary change. The history of the world is one of changing environments, where organisms that could evolve and adapt to those changes survived. Those that didn’t, died.  When enough succumbed, the species became extinct. Only adapters thrived.

The same goes for cybersecurity in the workplace. We can’t accept a set it and forget it cybersecurity culture. Rather, we must embrace one of adaptation.

Leading analyst firm Gartner agrees. In its “CARTA” report, the company leads with adaptation – to risk, to trust assessment, to security mitigation in real time based on adaptive trust responses. As an information security (InfoSec) industry, we really have no option but to adapt. I often joke with my network colleagues that they’re lucky their primary adversary is physics. Physics can be random, but it’s not maliciously working around our defenses the way threat actors do. For us, threats are always evolving and therefore, so too must we.

There are so many challenges. For example, we’ve been using extreme approximations as a good way of evaluating trust for years. Think of policy-driven firewalls: You had an inside – where the trusted people are – and the outside – where the “bad guys” are. Indeed, early firewalls even called the internal and external interfaces, respectively, trusted and untrusted. Unfortunately, these gross approximations live on in so much security thinking, even though we know they’re long past their use-by date. They fail to acknowledge issues like the insider threat of both malicious and non-malicious intent varieties, they fail to deal with business realities like outsourcing and bring your own device (BYOD) and they fail to address that even trusted insiders are often outside corporate networks.[1] 

Staffing is another issue. Cybersecurity Ventures claims that cybersecurity unemployment is at “zero percent.” This matches discussions I had at the recent Garter Risk and Security Summit 2017, where the difficulty of hiring good InfoSec talent was a constant talking point across all industry verticals.

Compounding this issue is the challenge universities face in trying to train the number of InfoSec professionals the industry needs. InfoSec is constantly evolving, necessitating major changes in curricula from year to year. The diversity of knowledge needed by an InfoSec professional can be huge and cover everything from very-large-scale integration (VLSI) design to databases and big data analytics. With no agreed taxonomy of the sub-branches of this discipline, higher educators are challenged to comprehensively tailor courses to suit all areas. Moreover, it’s not only educators who are sometimes challenged, but also human resources (HR) specialists, who do not have a clear idea of what to look for during the hiring process and can often filter out promising candidates.

Fundamentally, the best experience comes from doing InfoSec in a real-world environment. As an industry, we need to realize that InfoSec professionals have a wide range of skillsets and in many cases, some different approaches to thinking and problem solving that may not be well explored or analyzed in typical IT recruitment processes.[2]

On one hand, we have high-demand, often expensive talent. We need to use their skills and experience sensibly because they’re a limited and valuable resource. The last thing we want is to waste their time on meaningless, repetitive tasks that not only bore and frustrate them, but come at a high opportunity cost.

So, what’s the solution? How do we adapt? Automation. This really should be an obvious conclusion since any process that can be automated is a waste of a human’s time. Think of all the other things our expensive professionals could be doing with that extra time.

The Gartner CARTA approach itself acknowledges the criticality of automation towards evolving security architectures. With a CARTA strategic approach, we shift from the one-time “perfect” macro-security decision toward a context-dependent set of micro-decisions, constantly evaluating an ever-changing context and evolving status of the participants within a complex digital ecosystem. It becomes practical to do this when you have enough intelligence to flexibly and reliably detect known and high probability threats and the ability to apply automation.[3] An InfoSec  team can triage the remaining threats, which may be detected at low probability, confirm whether they are real issues and issue manual commands to address them and can later be orchestrated in the automation.

Gigamon understands the value of automation. That’s why we have invested so heavily in the capability to automate visibility into the ever-growing toolsets that organizations will need in the future.

Our aim is to help increase tool efficacy and turn the current machine-to-human fight – where organizations are disadvantaged due to a shortage of skilled manpower and resources – into a more defendable machine-to-machine battle. That way, we can use our expensive, skilled InfoSec professionals in the domain that they’re best: identifying and defeating the unknown risks and malicious, high-skilled threat actors who need human attention.

I’ll repeat what I said above: Anything that can be automated should be automated. Leave the humans for the tasks that require human intellect, insight and experience.

Designed to help InfoSec professionals save time and stay focused on critical tasks, our Defender Lifecycle Model is all about automation. Mapping to the five functions – identify, protect, detect, respond and recover – of the National Institute of Standards and Technology (NIST) Framework, it begins with granting security tools easy access to relevant data and then stretches to encompass machine learning for baseline building; artificial intelligence (AI) to uncover anomalies; and automation to accelerate a defender’s ability to contain and prevent attacks from propagating. It demonstrates how the power of pervasive visibility can turn security into a constantly adaptive, automated model that is essential to implementing CARTA in the real world.

Read the Gartner research note on continuous adaptive risk and trust assessment “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats” to learn why visibility is key to securing digital business.

[1] Case in point: According to Google Earth, the author’s normal work location is 11,960.79 kilometers or 7,432.09 miles from the Gigamon corporate network in Santa Clara.

[2] In 2014, when Gigamon started to aggressively pursue security opportunities, I was approached by several sales directors who essentially told me the same story. They’d pitched the Gigamon Visibility Platform to a security team who had turned to each other and started to map out how an attacker would attempt to compromise the Gigamon infrastructure. This is behavior they had not seen amongst the network teams they traditionally sold to, and they saw it as a major red flag and a negative sign. I had to explain that, “No, this was a positive sign: Security architects are typically ‘worst case’ thinkers, mapping out chains of attacks to understand that their defenses were strong.” I explained to the sales directors that it would be a red flag not to see this behavior. Good InfoSec professionals habitually think like attackers. It’s a professional habit that serves them well. However, HR professionals can see this very characteristic as dangerous or inappropriate and I’ve seen good candidates rejected for this reason. I’ve also seen good InfoSec professional rejected because they don’t look like the typical IT team. Rejecting InfoSec professionals because of characteristics unrelated to their actual performance is counter-productive and hurts us all in the long-term.

[3] Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Back to top