Building the security team of the future
Today’s emphasis on the cyber and compliance aspects of security can mean there is a risk that other strands of security, such as security management, physical security and personnel security, are being left behind or end up being de-prioritised. Mahbubul Islam from the Security Institute advises the ongoing development of traditional security to maintain a rounded service.
The increased coverage of both physical security incidents and cyber breaches in the media and the organisational response to them have signalled that there are gaps in security teams and highlighted the impact of de-prioritising other security domains, such as crisis management, business continuity, security training, vulnerability management and incident management including tabletop exercises. These security domains fall into the Respond and Recover segments: the most important areas when managing a security incident.
The speed and ease of delivery of products and services based on technological advances is leaving behind traditional security activities, such as development of security policies, standards and procedures. If there is an overly lengthy process to produce these, then there is a very good chance that projects and programmes will continue without them. The cost of implementing retrospective security controls is always higher than when implementing from the start.
Disciplines within the security team
So what should the security team of the future include? This does vary organisation to organisation; however, there are certain disciplines that should be considered to provide a diversity in terms of security background. The team should also be balanced with the following three aspects:
- Knowledge – security has numerous knowledge domains such as network, application, physical (environmental), operational security, and although some can be enhanced by certification and exams, no one can be the master of all the domains.
- Experience – experience in all knowledge domains takes years to develop and therefore organisations should focus on opportunities which enable this.
- Exposure – it is important that your security team have had the opportunity to develop their knowledge and experience by applying it in a variety of organisations. A small organisation will have different challenges to a large one. Managing security will always vary, so a team with a diversity of exposure to different types of organisation is important.
Additionally, it is very unlikely that all three aspects can be covered by one individual; therefore, organisations should pick two out of three, and allow the individual to develop the third. One way to develop these disciplines is to rotate your security team through the different areas of security delivery to enable them to gain knowledge, experience and exposure in areas new to them.
Where the organisation is of a size that can invest in an internal security team, it should include, but not be limited to, the following disciplines:
- Risk management
- Fraud, error and security analyst
- Security management including crisis management
- Security engineering
- Security architecture
- Control testing, both technical and non-technical
- Security testing/penetration testing
Security as a Service
Running a security team does attract a significant financial investment. Some consultancy firms offer security as a service, which allows organisations to invest in security resources without the financial overhead of a large internal security team. For example, an organisation with limited funding for security due to its size, could consider working with a Virtual Chief Information Security Officer (CISO)/Chief Security Officer (CSO). The V-CISO could act as a board member, and lead and shape the organisation in all aspects of security. All other security disciplines could also be covered within a virtual or outsourced security team service.
Invest in your security team
It is widely agreed that the security profession has a skills shortage. This means organisations will need to review their security strategy and include a focus on the structured development of resources. This could include:
- Enhanced security education and awareness training
- A strategy to transition existing staff into security
- An apprentice scheme
- A strong mentoring scheme
Security can be seen as a blocker by project and programme management. So, it is important to continually develop the security resource to operate in the most effective and efficient ways. Otherwise, there is a risk that organisations will end up with Shadow Security. This is where parallel security teams are put in place, separate to the centrally controlled teams, because they offer a quicker, simpler and more efficient way to deliver security. So, instead of going through organisational security process and governance, they run their own boards, approvals and defy the organisation’s security.
Recruitment and Selection
Finding the right security personal can be challenging. If your organisation lacks experience in recruiting technical security resources, you could consider using an experienced V-CISO to support the recruitment and selection process. You could also consider introducing functional and non-functional testing as part of the recruitment exercise. Whilst this can be a time-consuming process, it allows the organisation to establish the candidate’s practical experience in the subject matter.
Security is continually evolving and is moving from an assurance function to something more delivery focused. It is important to build a diverse security team, in terms of knowledge, experience and exposure, and to continue to develop this team with training and support. Although the cyber aspect of security is receiving high exposure today, we need to maintain a holistic approach to security.
Mahbubul Islam CSyP, Security Institute