How Security Leaders Succeed
Security leadership (directors, security architects, managers, shift leads, senior analysts etc.) must be able to understand the larger picture, translate security into the language of the business, and hold some degree of deep technical knowledge matured over a long career. Throughout my career I have witnessed security leadership either succeed or fail based on how they maneuver through three very common pitfalls:
1. Disadvantageous Support
The Security Leadership team has a responsibility to ensure that they are providing the appropriate level of training and mentoring to the younger and less experienced security professionals. They must be sensitive and actively aware when they reward, discipline, and/or punish any individual on the team. Too much discipline or punishment have a tendency to reduce the free thinking innovative environment that successful security teams depend on. For instance, disciplining or punishing a security engineer who took liberties with their data set to improve their individual work efficiency could very well decrease the likelihood that they would innovate or improve upon security processes in the future, even if it represents a positive step forward in operational maturity.
2. Opaque Communication
A very simple and quick win for any security leader is to ensure simple and transparent communication practices are implemented in their teams daily activities. If a security leader is making a decision on behalf of someone who works for them then it is very important that the security leader doesn’t leave them in the dark but rather, communicates their intent and thought processes to that individual. Little things like why and how can make a world of difference to someone. Maintaining a transparent level of communication with your team will help them understand their role in the larger picture and enable each team member to better position themselves for security success.
3. Impractical Expectations
While systems and tools may provide real-time detection and analysis over data, human interpretation operates at a slower speed. Most security leaders believe that if an analyst receives an alert and is presented with some degree of data that they will then be able to make a rapid decision on whether or not a breach has occurred, and to what extent. In reality, this places immense pressure on the individual and the mandate for a quick and final decision is not grounded in the needs of the situation at hand, but rather, the unrealistic expectation placed by the leader. It is logically unreasonable to expect someone to detect and ascertain all of the pertinent details of a potential compromise in any kind of manner that resembles real time or near real time. Even if a security analyst is able to determine that malware has been installed and C2 communication is present, they still don’t know how the attacker got in, what other machines they are interacting with, the nature of the attacker (structured or unstructured), or if an attack if ongoing. The average statistics on real world cyber attacks illustrates that attackers will often persist within a network for up to a year before executing the attack. As a security leader it is critical that you consider the sheer volume of planning and preparation that the attacker is bringing to the table and that you respond collectedly by ensuring your team is putting quality, efficiency, and consistency before anything else.