IT and Security (and Incident Response)

I have often been caught saying that cyber security should not be performed by IT teams and would also include incident response should not be done by IT teams. I think sometimes this is misunderstood as a dig against The IT teams and their leadership. I definitely want to make sure it is not viewed that way but I also believe IT leadership has a responsibility to clearly identify where their expertise is and isn’t. I believe there is a propensity to always say yes when asked to perform a function by executive management and IT personnel are not always aware of the challenges facing them during the installation and management of new security products. This lack of awareness is even more clear cut when IT teams are asked to respond to a security incident. Case Studies show that IT response to a account takeover attack or data breach is almost never successful.  This is most likely because the attackers have become better at gaining persistence and are very aware of the most common tactics used by IT teams to remove them following discovery.

Let me stay focused initially on IT as it relates to the installation of new security technologies and applications. (incident response will be the subject of a future blog) when firewalls were first being deployed they were a new it device. They were a one off in that we didn’t foresee many other security products being deployed and so they were an extension of our web presence and/or servers and routers. Modern EDR was a natural outgrowth of antivirus technologies and so was lumped in to the IT stack as well. But this is not the case anymore. EDR as an example requires much more management and monitoring than prior antivirus products. That is why companies like CrowdStrike have become so successful with their Falcon complete package because they offer the external expertise as part of their endpoint licensing. That model should show us that the installation of the product is an IT function but the management is better handled by external expertise.

I will say, some of this is changing. many IT teams are starting to develop internal expertise and that is a good thing but when a new security technology product is being deployed, that is when we need an honest assessment of the internal skill set of the team to determine if they have real world experience in the installation, management, tuning, and monitoring of the product. This is highlighted dramatically by statistics that show the majority of MFA deployed by internal IT teams fails when confronted with a penetration test or external attack. so how did we get here? Learning a security product is more than installing it and I often joke that watching a YouTube video does not make someone an expert or grant any measurable expertise. When considering a new security technology it is critical to have some form of technical assistance in the deployment and management of the product, this could be a MSP or MSSP or it could be Technical Support team for the product itself but security products are like laying a minefield. You should never ignore the minefield after it has been laid but instead should have Overwatch and a program to monitor and tune the defense as the attacks change.

Let's Talk