IT security is a team sport, so who do you want on your team?
Getting the gang together
Last month, I presented you a chamber of horrors—the worst people you meet doing IT security, many of them your friends and, sadly, co-workers. But I don’t like to dwell on the negative! So I asked a slew of IT pros about the best people, the ones they want on their side when facing down the toughest security challenges. There are a number of important roles to fill, and I’m not just talking about job titles: I mean attitudes, and abilities that verge on superpowers. IT security is a team sport, so who do you want on your team?
First up, you need someone on the inside with the skills and mindset of those you’re trying to keep out. “Organizations should look to hire a security professional with the skillset to conduct comprehensive penetration testing and put your security measures, procedures, and processes through the wringer,” says Destiny Bertucci. “This person should have a healthy curiosity and is probably the first to attempt hacker challenges at DEFCON.”
Greg Hoffer, calls this person “the white hat wonder” and says “they’re the team’s sidekick, performing security assessments of information management systems in a mock combative manner. Their antics help build the security team’s overall performance.”
The bounty hunter
Some people just have a passion for finding bugs, and you need to find them and channel that passion. “The bounty hunter is the person on your team that could actually make a decent living just sitting around doing bug bounties occasionally but comes to work because they simply can’t get enough and dream of one day finding that million dollar bug,” says Chris Schmidt, chief guidance officer at Codiscope. “They have mastered the art of chaining exploits and pivoting, but most importantly they’ve also developed a keen ability to prescribe solutions that enable quick and effective resolution of bugs they find. They contribute back regularly to the open source community and have a good relationship with some of the top framework maintainers.”
Dale Drew, a CSO, is looking for musicians—and that’s not a metaphor. He says musicians can take chaotic information—like large amounts of network metadata—and create an organized process to find patterns of anomalous behavior. “I have a rich history of not hiring security personnel,” he says. “Even when there were a fair amount on the market, we tended to focus on the technical expertise first and then training them on security second.”
Courtney Tray, one new team member plays the flute. She equates pseudocoding to reading a piece of music for the first time: she scans the piece to make sure she captures the meaning, then dives in for more detail.
A lot of being an infosec pro involves telling people “no”: telling co-workers the apps they want to run or websites they like are insecure, that their passwords are weak, that they need to log off even if they just walk away from their desk for a second. Most people don’t find this prospect much fun—so you’ve got to find an enforcer who’s comfortable with it, says Codiscope’s Schmidt. “The enforcer commands respect among their peers. They are charismatic and excellent communicators, can discern when flexibility needs to be taken into account, and how to apply that flexibility without putting the organization at risk. Most importantly, the enforcer understands and respects the authority granted to them and doesn’t let it go to their head.”
The third-party security ninja
Sometimes your enemies can gain access to you through your friends—or at least your business partners, to whom you have to open your network even though you have no control over their security practices. “Third and fourth party relationships are increasingly a source of cyberattacks, system failures, and data exposure that threaten an enterprise,” says Scott Schneider. “The third-party security ninja understands that this is one of the hardest places for companies to protect themselves. The ninja’s ‘no new friends’ approach to new relationships is similar to how they approach business third parties. They understand that enterprise security is only as strong as its weakest link and aren’t willing to let an outsider cause any gaps in the company’s data management and security strategy.”
More and more security tools can provide reams of data about your systems’ health, and you need someone comfortable parsing and interpreting it all, someone who, in Codiscope’s Schmidt’s words, “lives and breathes for metrics. They spend their morning plotting trends in log data and can spot an anomaly from a mile away. The statistician is like a human machine that accepts terabytes of seemingly incomprehensible log data and produces simple visualizations that allow even the most junior sysop to identify potential events early.”
The data worrier
Yes, that’s “worrier,” not “warrior.” Data is a crucial resource in any organization, and if you don’t have someone stressing out about it full-time, it risks falling through the cracks. “Every IT security dream team needs someone who always cares that backups and the like are in place,” says Nitin Donde, Founder and CEO at Talena. “Without the data worrier, enterprises risk accidental data deletion or application corruption, and are far more vulnerable than they even realize.”
The QA expert
Dodi Glenn, vice president of cyber security, says his security dream team includes someone poached from a different department. “My IT dream team would include someone who has played the role of a QA engineer,” he says. “They’ll understand how to deploy changes to a staging environment before going live to production. Many issues can be avoided by taking the time to deploy in a staged environment first.”
Joshua Douglas, a chief strategy officer, thinks you need someone who doesn’t wait for threats to come to you. “Threat hunting is a completely proactive mindset,” he says, “involving both human hunters and advanced analytical tools. Rather than taking the traditional approach of waiting for an automated alarm or event to investigate threats, hunters find threats before the most common tools do. Their job is to search for evidence of a compromise within an environment, use that evidence to perform a forensic investigation using rigorous analytic methods, and continuously work to identify and eradicate persistent threats.”
The elite squad
What do you do when things do go south? You’ll want to assemble a core group of all these different roles, staffers preselected to represent “the best of the best in your organization,” says Codiscope’s Schmidt. This group “works on a variety of things, but in the unfortunate event that a breach occurs, they’re your organization’s best hope of defending your infrastructure as well as collecting the forensic evidence needed to prosecute an attacker.”
Brian D. Kelley, a chief information officer says this group should have “an arsenal of special weapons and tactics to deploy when the enterprise network is attacked or breached by clandestine forces, moving quickly to engage the enemy and mitigate any active cyber threat.”
The pragmatic visionary
And who do you want as the captain of this dream team? Gene Stevens, a CTO, says the role calls for “a grounded leader who guides their team with a visionary yet executable approach. With years of wisdom accrued, they are optimists with a rigorous appetite for innovation and exploration, focused on driving the forward momentum of their team. This type of leader eschews the FUD factor, rejecting the idea that fears and doubts should be stoked to put their organization at an advantage. Rather, they confidently build on the value of their years of wisdom and innate ability to intuit solutions quickly to lead innovation and scale their team toward a positive future.”
Finally, Stephen Gates, chief research intelligence analyst thinks you should round out your team with a robot—and that’s only partly a metaphor. “In addition to your team of humans, you need to have automated security, and you can’t have that without a team of experts developing and monitoring the technology behind it to keep it running smoothly,” he says. “To keep pace with threat actors and new threat vectors created to exploit vulnerabilities, you need automated threat intelligence services that provide realtime intelligence to minimize risk and improve overall security posture. But you also need a team of researchers and engineers who work around the clock to create the threat intelligence services using data from around the world. Together, humans and machines make up ‘the robot.'” In the future, our teammates may be the very systems we aim to protect.