Balancing your cyber team

Security leaders often ask how many security professionals they should have on their teams. It’s a good question, and it requires an answer tailored to the decision-making processes of the enterprise. The train of thought that results in a tentative answer usually proceeds as follows. The organization failed its most recent assessment or suffered a breach that resulted in loss. Therefore, it needs more cybersecurity capability. For more capability, it needs more technology and more people. To buy more technology and hire more people it needs more money. Leaders justify the budget increase by demonstrating that the organization is out of step with the industry trends and lagging behind its peers. They know this, because they have benchmark data showing that, for example, the typical company in their industry deploys a ratio of five cybersecurity professionals per 100 IT staffers. So, if the company has an IT staff of 5,000, then it should have 250 cybersecurity professionals on the team. If it only has 150 cybersecurity professionals, then the benchmark data implies that it needs to hire 100 additional team members just to achieve parity with its industry’s average.

This approach to right-sizing the security team, while effective in most budget discussions, has two major weaknesses. First, it assumes that the average for an industry represents an appropriate and desirable state for which to strive. Depending on the industry and the specific risk profile of the company, this might be a dubious idea. Second, this approach doesn’t consider how or even if the additional staff might add value or improve security. Before looking to hire, security leaders should first consider how their existing team members create value and identify any imbalances. This article will discuss one approach for evaluating the balance of a cybersecurity team- the ratio of insight producers to insight consumers.

Classifying cybersecurity functions

The assorted functions common to a cybersecurity team can be divided into two sets- those that produce insight and those that consume it. “Cybersecurity insights” refers to intuitive understanding, new knowledge, awareness, comprehension, etc. of the security or risk posture of the organization. So, the functions that produce cybersecurity insight are those that result in the creation of a report, populate a dashboard with some interesting metrics, or yield conclusions and recommended courses of action to improve security in the future. Example insight producing functions include vulnerability identification and tracking, penetration testing, cyber threat intelligence, and all types of assessments. Functions that consume insight are those that must be guided or calibrated by the output of insight-producing functions in order to achieve maximum effectiveness. Cybersecurity insight consuming functions include vulnerability remediation, security monitoring, the deployment of targeted countermeasures, cyber threat hunting, and security incident response.

The cybersecurity value chain integrates functions that produce insight with those that consume it to create security improvements. For example, the security team combines the results of the last penetration test, the latest enterprise vulnerability listing, and a steady stream of analyzed cyber threat intelligence in order to synthesize a prioritized plan for remediating vulnerabilities. Similarly, an organization’s incident response capabilities are greatly enhanced by an understanding of the threat actors that have previously targeted other similar organizations.  

Insight starvation

Many teams have an imbalance between their functions that produce cybersecurity insight and those that consume it. This results in waste and suboptimal performance. Consider a team that is responsible for remediating vulnerabilities across the enterprise. They could use a number of techniques to prioritize their work. They could arrange vulnerabilities by severity or CVSS score to arrive at a prioritized list. They could arrange vulnerabilities by their assessment of the complexity of remediation to identify opportunities for rapid progress. They could even prioritize vulnerabilities based on the assessed criticality of the systems on which they’re located in order to focus attention on those systems with the highest risk ratings.

The problem with each of these approaches is that they use as their bases an incomplete picture of risk for the enterprise. That is, they’re lacking in key insights. Critical severity vulnerabilities that are located on a printer might be lower priority than medium or low severity vulnerabilities located on a domain controller. The complexity of remediation likely has little to do with the sophistication required for exploitation of a vulnerability. And, the team’s view on the relative importance of systems doesn’t take into account the views of potential attackers. That is, hackers go after the targets that they actually want and not the targets that defenders think that they want.

A glut of insight

The other side of an insight imbalance is the synthesis of insights that the team never consumes. Every team that I’ve ever worked with had this issue in one form or another. The typical example is the company that pays for a periodic security assessment, eagerly receives the report at the end, and promptly tucks it into a drawer to be forgotten. Security testers love these clients, because they get to keep using the same tricks year after year. The client, on the other hand, actually receives no value whatsoever for their investment. Security practitioners reading this would likely disagree with this statement. “Of course there’s value here,” they’d say. “The report is chock full of insights and recommendations!” Indeed. However, organizations can’t realize value from recommendations that they don’t action and reports that they don’t read.

Similar scenarios unfold across cyber functional areas daily. Business analysts diligently gather data to populate dashboards that no one ever views. Intelligence analysts collect information and write reports that no one ever reads. Incident responders distill their findings into wiki pages and lessons learned documents that never see the light of day. Each of these insight-producing activities has a corresponding link in the value chain where the resulting insight should be consumed, and those activities are where security value is actually created.

Balancing the team

The cybersecurity team cannot maximize the effectiveness of insight-consuming activities without providing the right type and quantity of insight as an input. Further, the team cannot realize any value at all from security insights that it produces (or purchases) but fails to consume. Thus, the resources devoted to producing and consuming insights should be balanced before new team members are hired in order to gain an understanding of where and how additional personnel can have the greatest effect.

A view of the steps needed to balance the team can be developed by answering a few key questions. First, for each role on the team, identify whether the role is fundamentally insight producing or insight consuming. For roles that are associated with multiple functions, consider this question in the context of the function that consumes the greatest percentage of time for professionals in the role.

Second, for each role, identify the complimentary role in the value chain that either consumes insights produced by the role or produces insights that the role must consume. For example, cyber threat hunters consume insight that is produced by cyber threat intelligence analysts in order to develop hunting methodologies and target the most likely locations where adversary activity might be found.

Finally, conduct a reality check and adjust appropriately. The reality check should compare the expected flow and usage of insight with the actual. Let’s say our threat hunters actually use security blogs and incident reports as their main sources of insight and don’t read the reports produced by the intelligence team at all. This may indicate a lack of awareness of the team’s threat intelligence resources, a failure in communication between team members, or some issue with the quality of insight produced by the in-house intelligence team. Appropriate adjustments might include retraining or reassigning personnel, developing new policies and standards, or reorganizing entire functions for greater effectiveness.

Maximizing value

Simply adding people to the team cannot automatically create reductions in enterprise risk. Instead, efficiently reducing risk requires the right balance between security insight production and security insight consumption. Unfortunately, there are no objective standards for identifying what right looks like in this context. Leaders and practitioners must analyze their team’s activities to understand the right mix of production and consumption for their own situation.

Even the best insight can’t support improvement if it isn’t consumed by the team, and many security professionals experience lackluster outcomes due to a dearth of needed insights. Thus, security leaders should consider balancing their team around an insight-driven value chain before seeking to hire additional defenders. The outcome of this will include improved effectiveness for the existing team, and it will also contribute to a much stronger business case for expansion of the team when it becomes necessary.