By Stefan Liversidge
Cyberattacks have been making the headlines daily, and the heat is on for critical infrastructure and other industrial organizations to do something about it.
Building cyber resiliency at any speed puts a lot of pressure on an organization’s security team. Not only does cyber defense require specialized knowledge that takes time and training to develop, there just aren’t enough skilled cyber experts to go around.
Which begs the question: are the limited number of security professionals holding the front lines in danger of burnout – and what can we do about it?
As an engineer involved in building cyber security solutions for industrial organizations, I’ve seen stress levels among security staff accelerate significantly over the past year. My observations were validated in the recent “Cyber Security in 2019” survey of over 3,000 CISOs and security decision makers. The report found 37 percent of cyber security professionals felt they were unable to handle the current workload, while two-thirds considered quitting their jobs due to the pressure of cyber threats.
The situation is complex, so here are a few thoughts on the issue and what can be done about it.
Here are the three key problems I see cyber security professionals facing:
I. Cyber threats and risks change on a daily basis. Unfortunately, the operational technology (OT) team doesn’t always have the tools or resources to efficiently orchestrate an effective response. For example, one common activity – patch management – consumes vast amounts of resources within global organizations. But we really need to ask ourselves “is this response strategy sustainable?” I don’t think so. For starters, it’s questionable whether an ad-hoc patch has any real impact on risk reduction, given that overall systems are still left with a number of critical vulnerabilities.
II. Cyber threats aren’t just impacting cyber security staff. Engineers are also being asked to help secure industrial control systems and plan and implement security controls. The issue is SOC teams and IT support staff now have a security surface that’s doubled in size due largely to IT/OT convergence. When combined with a skill gap in engineering to manage and secure increasingly networked OT environments, further strain is put on IT and security professionals.
III. Resources are limited; threats and risks grow exponentially, and organizations lack clarity on what their crown jewels are. Industrial operators often don’t have a strategic view of how to secure their most valuable assets in the short, medium and long term. Why? Because security organizations managing an ever-expanding security surface are typically consumed with reactionary activities based on perceived risk. It’s like being on a treadmill that won’t slow down or turn off. You think you have to run faster just to keep standing still.
Breaking that standing still mentality is key to building a sustainable cyber security program. When deploying controls to address risk, companies should stop and ask themselves if there is a better way to mitigate risk. Is there something that can be done to provide ongoing security controls to help address tomorrow’s threats?
One way to get there is to build organization-wide cyber resiliency by:
1. Adopting Cyber Security Best Practices
To transition from reactive to proactive, consider adopting best practices such as those outlined by the NIST Cybersecurity Framework, NIS Directive, IEC 62443 and ISO 27000. NIST maps out five security framework functions – identify, protect, detect, respond and recover, that can be incorporated into operational processes to address cyber risk. Identification includes asset management and risk assessment, while detection includes continuous monitoring and insight into anomalies and events, among other functions.
2. Scoring Your Cyber Security Risk
Organizations should be able to quickly know and understand their exposure level to a specific vulnerability or common weakness. Effective risk scoring using the Common Vulnerability and Exposures (CVE) method, is a good way to do that. Note that CVE scoring is not always the ultimate indicator of risk; organizations should be able to tailor risk scoring to their specific environment. Appropriate tooling is required to do this, because without visibility deep into the OT environment, it’s really difficult to adapt CVE scoring to reflect the context of each specific environment. Users need a tool that provides a deep level of visibility, along with the ability to clearly communicate risk-based decisions across an organization.
3. Establishing a Governance Model, Train Security Resources
Cyber security involves people, process and technology, yet people form the largest part of any security control program. Examples of human-generated operational risk include: The use of weak passwords, device configuration errors, and forgetting to remove a contractor’s access after they’ve left the organization. Because accidents happen, it’s critical to incorporate cyber security governance policies and programs into daily company life.
Beyond corporate governance, it’s also important to keep your security team’s cyber skills current. Unfortunately, many security practitioners don’t have time to develop their skills because they’re focused on keeping up with current threats.
However, the SANS 2019 Cybersecurity Research Survey found one-third of organizations are planning to invest in cyber security education and training for IT, OT, and hybrid IT/OT personnel.
Hackers are constantly moving between tools, tactics and procedures (TTPs) to stay ahead of the game, and security professionals are often one step or more behind. So, what’s the best solution – taking one day a week for “personal development?” Sadly, this just isn’t an option for many. Which brings me to my next point – leveraging technology.
4. Leveraging Technology
Technology should be used to empower people, enabling them to follow and adapt procedure as the threat landscape evolves. But the extended evaluation and procurement cycles for technology that help to build a proactive security posture can take 12 – 24 months, particularly in OT. During this period, security staff continue to burn resources reacting to perceived risks and threats.
But there is some good news. AI and machine learning now play a pivotal part in building a sustainable future for cyber security, and organizations are becoming bolder in their selection of advanced technology. For example, the Nozomi Networks solution automates real-time OT visibility, threat detection and cyber security, taking a load off the shoulders of IT and OT security staff.
Reduce Burnout and Cyber Risk
Is there a looming risk of security professional meltdown? I’m not sure of that, but I am sure about one thing. Burnout results in highly skilled and scarce resources becoming ineffective, which could cause them to miss malicious activity key indicators. All of this leads to inaccurate assessments and the inability to provide proactive guidance on controls to address risk, perpetuating the endless cycle of playing catch-up against hackers and cyber criminals.
Organizations can mitigate risks by (1) obtaining and training more resources, (2) focusing on the bigger picture priority tasks and (3) leveraging technology to support the limited human resources available.
Stefan Liversidge is a technical sales engineer at Nozomi Networks.