Turnover, Relationships, and Tools in Cybersecurity
Some things, like choosing tools, are perennial problems. Others, like complete security team turnover, seem to be a more recent development within my circles. But either way, staff turnover has ripple effects that are not always immediately apparent. Let’s take a look.
Turnover
I am lucky, I get to talk about application security with hundreds of companies each year. And over the past year and a half, I’ve noticed that many have had a complete turnover in security staff.
What does this mean? Tools that were purchased by previous teams are either going unused or on auto-pilot. Alerts and notifications are going to email addresses that are no longer being monitored. Some companies do not even realize that they have some of the tools they have.
My advice is to take a moment and do an inventory on what you have. Talk with your purchasing department and get a list of tools that were purchased by the previous team. Take a moment to call each company and talk with them. Ask for a demo on the tools you have and ask how to use it. Maybe the tool is not needed, or maybe it’s the lifesaver you have been shopping around for and you already have it.
(Re)building strong relationships
A complete security staff turnover not only affects technology usage. All those relationships that the security team had with development disappeared as personnel walked out the door, and the new team must rebuild them. Here’s what I suggest:
Spend time with development. Leave your desk and take a trip over to where the development team sits. If remote, then reach out to the team leads or architects. Discuss how things are going and rekindle the relationship that was lost when the previous team turned over.
At a previous employer, I would always take time to walk around the development floor and see how things were going. This will give you insight to new products and tools that teams are building. The information gained is invaluable because it keeps you in the loop and you can plan accordingly.
And about those tools…
So maybe you don’t already have the tool you need, and the search continues. Here’s something to consider as you do your due diligence and establish your needs:
Would you hire a plumber to do a whole house inspection? Would you hire a general contractor to fix foundation issues in your home? Would you hire a teller to audit your 401(k) account? Finally, would you hire a foot doctor to do surgery on your back?
What do these examples have in common? The person being hired knows some of what needs to be done, but not everything. Why would you do the same thing for your application security program?
Make sure that you are properly staffing your programs with people who understand all aspects of security. Using your cloud security guy with no development background to handle SAST could lead to disastrous results and additional risk.
Knowledge is key in each aspect of your security program. Several vendors provide great tools, it’s a matter of understanding what value they can bring you and how they can be integrated. I understand that it can be more expensive to have a la carte security, but how much does a compromise cost?
Use your tools correctly and tune them for success. Clicking the “WAF” option in AWS does not mean you have a fully working and deployed WAF solution. These rules need to be fine-tuned by someone knowledgeable to be successful.
If possible, hire an on-premises penetration tester. Have them validate critical findings that could ruin your day. Share the actionable findings with development -– ideally via a recorded video so that they will know exactly how and why the finding is important. It will go much further than just giving them a report of 5,000+ potential security issues from a security tool.
To next year
Every year we see new technologies and new vulnerabilities, but the basics of cybersecurity tend to stay the same: building relationships with staff and taking care to purchase and implement the best security tools for the job. So here’s one last piece of advice that covers both: talk to your developers about tools before you buy them. Developers are busy, of course, but let them own some part of the process and you’ll get much better buy-in later. Do not be a roadblock, but come alongside development and work together to incorporate good security practices. Work together as a team and you will accomplish so much more.
As always, stay secure my friends.
