Part of my job as a Cybersecurity Consultant is letting people know WHY they need a dedicated security group to watch over their business.
Sometimes, the education process is easy because an attacker has already compromised their network and the damage has been done. Other times it’s much more difficult because people think ‘they are too small’ or ‘aren’t a threat’ thinking they are safe by obscurity. The most difficult ones, however, are the ones that think IT equals Security.
While there are some crossover points and having good IT administration helps reduce your risk, it wastes effort and time that most IT administrators simply don’t have. By engaging with a security consultant or hiring dedicated security personnel you can keep the business running smoothly while also identifying and remediating security risks before they can be exploited.
I started my IT career as an IT administrator eventually becoming a Senior Administrator for a large organization with 20 physical sites from Coast to Coast. From there, I became an IT consultant and managed large numbers of clients, endpoints, and networks. My day usually started before my feet hit the floor by reviewing email alerts, trouble notifications, and backup test results to start my day. By the time I had poured my cereal and consumed my 2nd cup of coffee, I likely responded to a dozen emails and made at least two calls to check on something.
From there it just got more and more hectic. Systems not responding, printers not printing, equipment that needed to be tested and installed, upgrades to be planned, and projects to manage. While I always made a significant effort to ensure these items were addressed with the known best practices in mind, my primary focus was on business continuity and making sure users were able to perform their job duties with minimal interruption.
I’ve been a security consultant for 10 years now and the first part of my day hasn’t changed much. I check my phone, review messages, and respond to alerts. From there, however, things change. I spend an hour or so drinking coffee and reviewing the latest security blogs, threat intelligence, and security trends. I research products that fulfil a role for minimizing cybersecurity risk. I constantly work on identifying tactics and techniques that attackers are using so I can implement controls to minimize the risk and impact of an attack. By the time I’ve reached the office, I’ve been analyzing vulnerability assessments, risk analyses, and network traffic for signs of attempted exploitation.
Most of my day is spent analyzing data, putting together strings of activity, and critically testing the effectiveness of implemented controls. I’m not focused on the day-to-day processes of keeping the business running. Instead, I’m in a constant state of vigilance knowing that attackers are mostly opportunistic and making every effort to reduce the opportunities for my clients to be impacted.
Keeping these duties separate becomes critical for any organization looking to truly reduce its cybersecurity risk. While much of the technical controls used to protect an organization rely on IT to implement and manage – firewalls, password management, patching, endpoint management, etc. – a significant portion of the Cybersecurity job requires testing to ENSURE those controls are implemented fully, looking for ways to get around controls, and validating standard processes are being implemented everywhere in the organization. Everyone is human and mistakes will be made. It is the responsibility of the Cybersecurity team to identify these mistakes before they are exploited. This makes objectivity essential. Even if your IT team is phenomenal, mistakes are always going to happen, and having someone step in to gently identify and remediate these lets the IT team keep their focus on keeping the business running while the Cybersecurity team focuses on keeping ahead of the ever-present attacks.
Many people assume that IT is the same as Cybersecurity.
While some processes and procedures do overlap, each group serves an entirely different role in the organization. Cybersecurity teams will identify a vulnerability – be it a missing patch, a behavioral or process-related issue, or a newly identified threat – and provide the remediation steps to IT. It then becomes the responsibility of the IT team to implement the remediation before the Cybersecurity team can validate its effectiveness and hunt for more risks. By combining these two scopes into a single team or individual, even in a small team, you reduce the effectiveness of that team, increase the risk of a cybersecurity incident, and force the team to choose between addressing an identified risk or returning to business as usual as rapidly as possible.
If you don't have enough cybersecurity people on your team to separate these tasks, you might want to consider contacting a managed security organization, like PacketWatch.
Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.