Cyberattacks have been making the headlines daily, and the heat is on for critical infrastructure and other industrial organizations to do something about it – fast.
Building cyber resiliency at any speed puts a lot of pressure on an organization’s security team. Not only does cyber defense require specialized knowledge that takes time and training to develop, there just aren’t enough skilled cyber experts to go around.
Which begs the question: are the limited number of security professionals holding the front lines in danger of burnout – and what can we do about it?
Choose Your Battles (and Priorities) Wisely
As an engineer involved in building cybersecurity solutions for industrial organizations, I’ve seen stress levels among security staff accelerate significantly over the past year. My observations were validated in the recent “Cyber Security in 2019” survey of over 3,000 CISOs and security decision makers.1 The report found that 37% of cybersecurity professionals felt they were unable to handle the current workload, while two-thirds considered quitting their jobs due to the pressure of cyber threats.
The situation is complex, so I’d like to share my thoughts on the issue and what can be done about it.
Here are the three key problems that I see cybersecurity professionals facing:
I. Cyber threats and risks change on a daily basis. Unfortunately, the operational technology (OT) team doesn’t always have the tools or resources to efficiently orchestrate an effective response.
For example, one common activity – patch management – consumes vast amounts of resources within global organizations. But we really need to ask ourselves “is this response strategy sustainable?” I don’t think so. For starters, it’s questionable whether an ad-hoc patch has any real impact on risk reduction, given that overall systems are still left with a number of critical vulnerabilities.
II. Cyber threats aren’t just impacting cybersecurity staff – engineers are also being asked to help secure industrial control systems and plan and implement security controls.
The issue is that SOC teams and IT support staff now have a security surface that’s doubled in size due largely to IT/OT convergence. When combined with a skill gap in engineering to manage and secure increasingly networked OT environments, further strain is put on IT and security professionals.
III. Resources are limited; threats and risks grow exponentially, and organizations lack clarity on what their crown jewels are. Industrial operators often don’t have a strategic view of how to secure their most valuable assets in the short, medium and long term.
Why? Because security organizations managing an ever-expanding security surface are typically consumed with reactionary activities based on perceived risk. It’s like being on a treadmill that won’t slow down or turn off. You think you have to run faster just to keep standing still.
Breaking this cycle is key to building a sustainable cybersecurity program. When deploying controls to address risk, companies should stop and ask themselves if there is a better way to mitigate risk. Is there something that can be done to provide ongoing security controls to help address tomorrow’s threats?
Building Organization-Wide Cyber Resiliency
1. Adopt Cybersecurity Best Practices
To transition from reactive to proactive, consider adopting best practices such as those outlined by the NIST Cybersecurity Framework, NIS Directive, IEC 62443 and ISO 27000. NIST maps out five security framework functions – identify, protect, detect, respond and recover, that can be incorporated into operational processes to address cyber risk. Identification includes asset management and risk assessment, while detection includes continuous monitoring and insight into anomalies and events, among other functions.
2. Score Your Cybersecurity Risk
Organizations should be able to quickly know and understand their exposure level to a specific vulnerability or common weakness. Effective risk scoring using the Common Vulnerability and Exposures (CVE) method, is a good way to do that.2 Note that CVE scoring is not always the ultimate indicator of risk; organizations should be able to tailor risk scoring to their specific environment. Appropriate tooling is required to do this, because without visibility deep into the OT environment, it’s really difficult to adapt CVE scoring to reflect the context of each specific environment. The Nozomi Networks Guardian solution is a highly visual tool that provides this deep level of visibility, along with the ability to clearly communicate risk-based decisions across an organization.
3. Establish a Governance Model, Train Security Resources
Cybersecurity involves people, process and technology, yet people form the largest part of any security control program. Examples of human-generated operational risk include: the use of weak passwords, device configuration errors, and forgetting to remove a contractor’s access after they’ve left the organization. Because accidents happen, it’s critical to incorporate cybersecurity governance policies and programs into daily company life.
Beyond corporate governance, it’s also important to keep your security team’s cyber skills current. Unfortunately, many security practitioners don’t have time to develop their skills because they’re focused on keeping up with current threats.
However, the recent SANS 2019 Cybersecurity Research Survey found that one-third of organizations are planning to invest in cybersecurity education and training for IT, OT, and hybrid IT/OT personnel. Programs like the Nozomi Networks Certified Engineer Training course is a great first step towards improving cybersecurity knowledge for IT and OT personnel.
Hackers are constantly moving between tools, tactics and procedures (TTPs) to stay ahead of the game, and security professionals are often one step or more behind. So, what’s the best solution – taking one day a week for ‘personal development’? Sadly, this just isn’t an option for many. Which brings me to my next point – leveraging technology.
4. Leverage Technology
Technology should be used to empower people, enabling them to follow and adapt procedure as the threat landscape evolves. But the extended evaluation and procurement cycles for technology that help to build a proactive security posture can take 12 – 24 months, particularly in OT. During this period, security staff continue to burn resources reacting to perceived risks and threats.
But there is some good news. AI and machine learning now play a pivotal part in building a sustainable future for cybersecurity, and organizations are becoming bolder in their selection of advanced technology. For example, the Nozomi Networks solution automates real-time OT visibility, threat detection and cybersecurity, taking a load off the shoulders of IT and OT security staff.
Reduce Burnout and Cyber Risk through Training, Prioritization and Technology
Is there a looming risk of security professional meltdown? I’m not sure of that, but I am sure about one thing. Burnout results in highly skilled and scarce resources becoming ineffective, which could cause them to miss malicious activity key indicators. All of this leads to inaccurate assessments and the inability to provide proactive guidance on controls to address risk, perpetuating the endless cycle of playing catch-up against hackers and cyber criminals.
Organizations can mitigate risks by (1) obtaining and training more resources, (2) focusing on the bigger picture priority tasks and (3) leveraging technology like the Nozomi Networks real-time ICS visibility and cybersecurity solution to support the limited human resources available.
If you’d like to explore how Nozomi Networks can help your organization build cyber resiliency, simply contact us.
- Industry Report: “Cyber Security in 2019: End the permanent state of high alert and start your journey to reduced complexity”, Symantec, 2019.
- Industry Blog: “How does the CVE scoring system work?”, Tech Republic, June 2019