By now you are painfully aware that effective security needs people as well as technology. You know you need to staff up, and you’ve got lots of options: experts, entry-level, service bureau, staff aug., tiers, providers, etc. And you’re looking across Capex, Opex, project, operations, org. chart, and head count.
My question to you is:
“Are you looking across the kill chain and staffing each point where human intervention is required?”
Here’s the kill chain reimagined for security projects and operations.
Reconnaissance: Skills updates, attack patterns, threat landscapes, new approaches.
Weaponization: Technology procurement, engineering & automation, training & certification.
Delivery: Project delivery, infrastructure installation, process implementation.
Exploitation: Communication & consensus, corporate deployment, stabilization.
Installation: Tracking & retention, enforcement levels, advanced analytics.
Command & Control: Threat intelligence, daily triage, engineering & orchestration, response automation.
Actions & Objectives: Stopping attacks, detecting breaches, responding to incidents.
Looking at these terms, you can easily see which ones are “technical” – automation, technology and infrastructure, and which ones are “human” – communication, triage, skills.
What may be less obvious, though, is how certain staffing models or assumptions can create weaknesses in the chain.
Let’s start with the one we all know: Lean staffing. You might even have a one-person show.
Where is that most likely to affect the kill chain?
Reconnaissance: Your person doesn’t have time to update their knowledge or skills, research threats or trends, keep up with the hackers who DO have that time every day.
Delivery: The solution may be highly efficient, but delivering it can be significant effort, and your person has too many distractions.
Command & Control: Daily triage means daily effort, typically structured and scheduled, and your person has too many unstructured interrupts, not enough energy to concentrate.
Getting Creative about Remedies
Command & Control: Consider outsourcing “detection” to an MSSP.
Delivery: Go with a full-service vendor or partner that can implement for you soup to nuts. And build in plenty of package-based and consulting-based training/education for your person.
Reconnaissance: Security is a full-time job. Maybe the cheaper solution here is to hire for some of the other hats your person is wearing. If you are a smaller business, maybe it’s time to get your lone wolf a “help desk person.”
Let’s pick another one that I called out as a solution but, like all great benefits, brings its own risks: outsourcing.
I described it above as a remedy for weakness in our so-called “Command & Control” link. In fact, it covers other areas too, such as “skills updates” in “Reconnaissance” and potentially “infrastructure” in “Delivery.”
But can that approach then bring, or reveal, weakness in other links? Where it most often hits is in “Delivery.” Your services partner may have a preferred way of “Engineering & Orchestrating” your physical technology solution. Does your technology vendor or implementation partner mesh with that approach?
Exploitation: If you have to “sell this to the organization,” who knows how to work angle that better? Is that another vendor, or is that still you?
Actions & Objectives: When your MSSP detects a bad guy, do they also offer responder services? Can your person do that part himself? Do they have the bandwidth and the skills?
Getting Creative about Remedies
Delivery: Choose vendors that reference and partner with one another. Use a “trusted advisor” to coordinate parties and envision solutions.
Exploitation: Choose an implementation partner or technology vendor that has a methodology, sample deliverables, collateral and communication plans.
Actions & Objectives: You can go with best-of-breed, one-stop shopping, training your team, or a combination of the above – just think in terms of covering all the links in the chain.
Bottom line – it’s not just about staffing up, it’s about staffing right. And don’t worry about exactly what “the right answer is,” because there isn’t just a single answer. Rather, let your knowledge of the kill chain, and of your own organization and operations, guide you.