Security organizations are between the proverbial rock and hard place.
Cybercrime is rampant—hackers caused an estimated $21 billion in losses to U.S. companies in 2017, according to Accenture. Every year, attacks get more sophisticated and harder to detect and recover from. Meanwhile, security organizations are understaffed. It’s hard enough to fill entry‑level positions from a depleted global talent pool, let alone find a qualified chief information security officer.
How should a company structure its security organization to combat modern threats and account for staffing and skill constraints?
To find answers, we interviewed a diverse group of experts—CISOs, analysts, security companies, and management consultants. We also tapped academic research, such as an influential CISO org model developed by Carnegie Mellon University and the Software Engineering Institute.
The next‑generation security team we describe below covers core responsibilities like safeguarding software, monitoring networks, incident response, and training employees. We acknowledge the reality that most security teams are likely to remain shorthanded for the next few years.
Despite the title, most CISOs didn’t have C‑level responsibilities when the role emerged in the 1990s. Typically, the senior security person reported to the CIO. Today, while the debate is hardly settled, there’s a growing consensus that CISOs must report to the CEO to be truly empowered.
That’s also a reflection of how the job has changed. The CISO can’t just be a techie. Doing the job well now means educating everyone in the organization and successfully advocating for the budget to fight threats that are often hard to see and understand. In recognition of this broader mandate, some companies, such as health tech company Welltok, merge the CISO and CIO roles into one.
“It is not a stretch to find CISOs with the appropriate technical skills,” says David MacLeod, Welltok’s CISO/CIO. “It’s difficult, however, to find ones with the right business sense and people skills.”
It’s no surprise that the CISO role is still one of the hardest tech roles to fill, with a shortage of experienced senior‑level recruits.
Security executive council
Without buy‑in from other parts of the organization, any CISO will likely fail. Conversely, without insights from the CISO, the rest of the organization won’t fully embrace security strategy and culture.
A security executive council can help solve both problems. Made up of stakeholders from other parts of the organization, such as the COO, CIO and general counsel, this group helps the CISO understand and move in sync with the company at large, and also helps get buy‑in for training programs and other key initiatives.
“Even though the word ‘committee’ brings with it a sense of frustration, I think committees that have good representation from different parts of the organization can be key,” says William Beer, principal advisor specializing in cybersecurity at Ernst & Young. “It’s really about the tone from the top.”
App security specialists
App security is as old as office computing. Specialists audit, update and vet new software to ensure that all enterprise apps are protected.
But the old model is under threat. The massive scale of cloud computing and the Internet of Things have conspired to drastically expand attack surfaces, while mobile trends like BYOD strain traditional controls.
Today’s app security specialists must often manage configurations for thousands of devices, software and apps. To do so, this new breed of app specialists needs to be familiar with tools and tactics that can help get the job done, including AI applications, outsourcing, and workforce training.
They also need basic investigative skills just to find out what apps an organization is using.
“How do you even find out what you have in the cloud today?” asks Dave Cole, chief product officer at security tech firm Tenable. (Tenable has a partner relationship with ServiceNow.) “As one brave person told me recently, ‘We go to the finance team and find out who has been charging Amazon Web Services, then we go and ask those people,’” he says. “It’s just bonkers. It’s too hard for a conventional organization to understand the attack surface.”
A SecOps team keeps a company’s cyber infrastructure running. It’s also an organization’s watchtower, staffed with “threat hunters” and other security analysts who identify and neutralize threats.
Some SecOps teams simply observe and report attacks. But increasingly, they’re tasked with actively preventing threats.
“There are a lot of companies setting up security operations centers now, but the problem is, there aren’t a lot of people who know how to run a vulnerability response program,” says Cole.
Data overload, clunky tool integration, and lack of process automation are among the top problems reported by SecOps workers. That’s why SecOps is increasingly turning to software orchestration, which makes disparate tools work together more seamlessly. That might include heuristic tools—which can help detect new security threats by following successful protocols from past experience—in tandem with emerging AI applications to support better monitoring and coverage with limited staff.
This is the reactive arm of the security organization. The primary responsibility of emergency ops is to mobilize staff, activate response plans, and manage time‑critical incident management and response activities when major breaches occur.
The cost of network downtime and systems repairs from security breaches is often prohibitively expensive. Yet companies still underfund emergency ops. Fewer than half of organizations have funds allocated for unanticipated attacks, making it harder to stop hackers quickly when they storm through the defenses.
While emergency teams aren’t addressing threats, they can help out in other parts of the security org. Good threat management isn’t just about responding to incidents, however. It’s about anticipating new threats and taking steps to stop them before they materialize.
“Companies aren’t proactive enough today,” says Beer. “They’re responding to attacks seen on a daily basis instead of thinking about what’s coming down the pike.”
A program management team provides critical connective tissue between the security organization and the rest of the company. It’s typically responsible for monitoring and meeting business objectives, and for building a “security culture” that includes all employees.
At many companies, that starts with security training—another critical but under‑supported need. Barely half of all security organizations conduct regular training. Where training programs exist, the program manager’s job is to ensure that all employees properly safeguard data.
One promising new approach is for program managers to focus on the personal security hygiene of employees. This is often more effective than asking employees to protect systems they may not understand.
“Everyone in the company should be educated on information protection,” says MacLeod. “If we provide training on how to spot an attack and how to protect their own data, they’re more likely to do it at work.”
With threats increasing from every direction, companies are fighting to recruit experienced security workers. As a result, some 41% of security teams have resorted to hiring less experienced junior analysts—who are spread across all security teams—to pick up the slack.
Many companies are already using automation and orchestration tools to ease the burdens on senior workers. Teams can automate multiple tasks within a single product or system, such as querying logs or scanning networks. Orchestration tools help them to automate tasks and processes across many different products, tools or systems.
For the foreseeable future, though, human security pros will still need to cover all aspects of defense. “Self‑sufficiency is critical,” says MacLeod. “When things go wrong, waiting around for critical resources to be drafted is a dangerous waste of time.”