Gartner Blog Network


Security Without Security People: A [Sad] Way Forward?

by Anton Chuvakin  |  June 29, 2017  |  10 Comments

This post is a convergence of a few things: our recent foray into more basic security areas (such as from threat hunting to vulnerability management), my experiences at a recent Security Summit and of course recent ransomware-like incidents (from WannaCry to Petya).

So, we analysts lots of do 1on1s at Gartner Events, these are essentially in-person client inquiry. It so happened that I took a decent number of 1on1s with organizations (some large!) that just hired their first security professional (likely a manager, but sometimes a technologist) or that had no full time security people at all (so Director of I&O or even a CIO was talking to me). Many of these organizations were definitely not SMBs! The epiphany that resulted from this is as follows: a lot, A LOT of perfectly great security advice is 100% useless for those guys.

First, everything that starts from “have your security team …” goes into the wastebasket. Next, everything that requires specialty skills (“have your SIEM engineer do…”, “your incident responders will…”, etc) goes for a toss too.

Indeed, even larger organizations buy more boxes than they have people to run them, but for these guys the situation is dire: no box that requires an FTE will deliver value to them due to the lack of said FTE. So, essentially no SIEM, no EDR, no DLP, no UEBA, etc.

Sure, some security tools perhaps can be run by IT operations teams (firewalls by networking, EPP by desktop team). On the other hand, telling these companies to rely on “shoot and forget” [well, relatively so!] preventative controls like …you got it… firewalls and EPP is also bad advice since they are no match for today’s “better” threats. This also gives birth to such clichés like “ransomware only affects ‘security-stupid’ organizations”, etc – not really, but it does affect the short-staffed more than others…

Some of you are reading this and thinking, “Hold my beer, I am going to quit my job and start an MSSP! WIN!” Hold on! MSSP alerts need to be triaged, somebody need to tell an MSSP which security settings you want changed, etc. All this requires people with security knowledge. By god, even selecting the right MSSP requires security talent, otherwise there is a high risk of vendor taking advantage of you. Also, as an MSSP, you’d face some of the same talent shortage and cost issues…

Where are you taking all this, Anton? Three conclusions:

  1. we are all kinda screwed since “damned if we do, and damned if we don’t”
  2. if you think you can do security well without security people, you are so deluded – and probably breached too
  3. however, we need to REALLY focus on making the available people work effectively and efficiently.

This is the only way to survive! “Force augmentation” should be the only game in town.

And, no, it does not automatically mean “buy SOAR tools” because their current implementations often require a lot of good people to jump start the implementation….

Category: philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Security Without Security People: A [Sad] Way Forward?


  1. Marius says:

    I think the problem you describe is not solvable with staff augmentation, since staff needs to be led and managed. By execs.

    The core problem is, that security technologies are inefficient without people, process and technology alignment.

    If you eliminate the people part, because you cannot hire or because you see that developing skills is too costly, the logical conclusion is efficiency loss.

    I have seen a lot of SMBs and cooperations with boxes (DLP, IPS…) no one could configure. Staff was untrained. Box got replaced. Staff remained untrained. Box got replaced…

    My recommendation to these clients was to attach the brochure (“no configuration required”, “out of the box security”, “100%”) to the service contract with the vendor of the box. – To get around the merger clause.

    Related to a strategy to get staff augmentation, that can do wonders.

    Best,
    Marius

    • I have seen a lot of SMBs and cooperations with boxes (DLP, IPS…) no one could configure. Staff was untrained. Box got replaced. Staff remained untrained. Box got replaced…” <- exactly this! This I've seen so many times it makes me cry :-)

      Thanks a lot for the comment!

      • BTW, staff aug in many cases is “replace hiring with MORE EXPENSIVE consultants that don’t really report to you” – no idea how can it be an overall solution, but tactically it can help for a while, I presume.

  2. LvFreerDi says:

    The challenge of finding enough security professionals is significant. Having sat and listened to several CISO and senior security leaders recently this is absolutely top of mind for them! A SOAR platform MUST deliver on the promise of leveraging intel from past investigations AND Sr. Threat Hunters activities to help new/less experienced IR team members learn and move from hire to productivity faster! More importantly to allow all security teams (Network, Application, Architecture) to easily COLLABORATE. If a platform can deliver in effect “JIT” training, without costs of training class, time away from desk and other assoc costs then that seems compelling.

    • Mike Perez says:

      I do want to lend a counterpoint to the “there isn’t enough talent” type of comment. I live in the Northeast and know quite a few qualified infosec folks who have been looking for work for *months*. I also know quite a few non-infosec but “everyday in the trenches” IT people (server admins, desktop admins, etc) who are looking to enter infosec who never get callbacks. Industry is just not really serious about security threats, or at least seemingly unwilling to hire, nevermind hire and train. Its a basic economics problem from what I can tell. If breaches/intrusions are only a temporary hit on tally sheet, most organizations see no long term benefit to increasing headcount.

      • Sorry for a delayed response, was on vacation this week.

        Indeed, some of the “TALENT SHORTAGE!!!” screams do ring fake to me too. I’ve seen “CSO for $85K in major city” or “level 3 sec analyst for $50K” job reqs that are just stupid, these orgs “talent shortage” is 100% self inflicted…

  3. The way forward in cybersecurity is not removing people from the equation. The solution should not solely be focused on improving technology but focused on changing the relationship of how humans interact with cybersecurity technology. Humans are still the greatest resource with common sense reasoning and creative thinking to apply experience to new situations. Providing a better delivery model to align the technology to fit more with normal human expectations opens the resource pool to better cybersecurity technology and professionals.

  4. Keith Scott says:

    I think the problem is not solvable. If you eliminate the people part, because you cannot hire or because you see that developing skills is too costly, the logical conclusion is efficiency loss.

    • An excellent point indeed. It is essentially “how do I fly to the Moon if I lack a spaceship, plane or even a car?” kinda question. The answer is “YOU DON’T” :-)

  5. Keith Scott says:

    I think the problem is not solvable. If you eliminate the people part, because you cannot hire or because you see that developing skills is too costly, the logical conclusion is efficiency loss.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.