Infosec teams are under a figurative DDoS (distributed denial of service) attack caused by a variety of business and operational factors that overwhelm them and keep them from crafting strategies to address long-term challenges.
Instead, infosec pros spend most of their time at work doing “day-to-day” tasks due to issues like understaffing and an overload of security alerts, according to Joseph Blankenship, a Senior Analyst at Forrester Research.
“We have far too many alerts and too few analysts. We need to get a lot smarter about dealing with alerts,” he said during his keynote “DeDoSing IT Security” at the Qualys Security Conference on Wednesday.
At a high level this means infosec teams need to look for the right tools that automate prioritization of the vulnerabilities in their environments, so that they can devote their remediation resources to patching the most critical problems.
Today, according to Blankenship, the most common tools used by security teams to prioritize, visualize and share data are spreadsheets and email. “We’re still using archaic tools,” he said.
With regards to staffing, a recent Forrester Research study found that 62 percent of enterprises don’t have enough security professionals, and 65 percent said finding people with the right skills was a challenge.
Another common problem with infosec teams is that they work in silos and often don’t communicate or collaborate enough, which affects the efficacy of their efforts to protect their organization’s IT environments. Cooperation and sharing of data are key for infosec teams, he said.
While this is happening, hackers are often reaching for low-hanging fruit to carry out their breaches: vulnerabilities for which patches exists but which remain unfixed in many IT environments because infosec teams aren’t functioning effectively.
A related problem is that many businesses continue to use obsolete IT products – both hardware and software – which are no longer supported by their vendors, so new vulnerabilities don’t get patched. These products need to be periodically revised and if necessary decommissioned because many have become attractive attack vectors for hackers.
Then there’s the new technology, like mobile devices – laptops, cell phones, wearables – that employees use to connect to their companies’ networks and access corporate data, a risk that needs to be properly addressed by infosec teams as well.
What To Do?
For Blankenship, the solution to this situation lies in five key elements: focus, prioritization, visibility, improved collaboration and automation.
This translates to aligning security strategies and policies with business goals, which helps puts things in focus and bring the proper perspective to infosec teams.
In today’s business world, that often starts with the customer, and making sure the digital customer experience is the right one, both from a business perspective and from a security and privacy perspective.
Without a business-security alignment, infosec teams tend to be reactive in their work and focus on things that aren’t a business priority, instead of being a business enabler. “Don’t do security for security’s sake,” he said.
Blankenship also stressed the importance of actively prioritizing, since infosec teams don’t have the resources to fully protect every asset and fix every flaw. Not all vulnerabilities are created equal, so infosec teams need visibility into the threats that present the biggest risk to their organizations at any given time, and focus on fixing those.
This means, for example, understanding which ones among your employees are considered bigger targets, which of your data is most attractive to bad actors, which vulnerabilities are being actively exploited in the wild, and which of your IT assets have the most important roles in your environment.
In addition, remediation work needs to be optimized with better workflows and more communication and cooperation, as well as automated with the right tools for correlating data and managing the patching process.
Finally, all of this work needs to be tracked and measured so that the infosec team can see how effective it’s being and so that it can share its progress and successes with IT and business leaders.
“Show your wins when you get that chance,” he said.