“Having a circuit of walls was not always much protection if they were not maintained or if there was no one organized enough to defend them”
Adrian Goldsworthy – The Fall of the West: the Death of Rome
I will let you in on a secret. Castles can be bypassed. Walls can be scaled. It’s the fact that they are manned by defenders that turn them into defenses.
Castles were not built to keep an entire geographic area enclosed and safe. They were strategically positioned to safeguard critical points, such as trading routes or borders. More importantly, they were built to house the troops that did the actual defending. Walls were never intended to permanently keep out an enemy (see the great wall of China or the Roman Limes as examples of this approach failing). Instead they were designed to slow down adversaries, and funnel them to choke and control points, to where the actual defenders could defeat them.
We try to build walls and castles out of technology, but like stone and mortar, these are just inanimate matter. They are tools, and tools are used by people. Yet many organizations erroneously believe that it is these virtual walls that will protect them from hackers and breaches.
It doesn’t matter that you have the digital equivalent of moats and turrets, the UEBAs and EDRs of the cybersecurity world. You will still need those people on that wall. And the longer that wall is, the more people you will need.
I am sure my experience is not unique, but I have spoken to many organizations in my time at Gartner planning to buy a security technology without factoring in the people that will be required to effectively operate it. SIEM would be the most obvious example. It’s a tool to enable security monitoring, but it doesn’t do the monitoring for you. You can automate some of the tasks, but we all know the current limitations and shortcomings of that approach. Even what is misleadingly called Artificial Intelligence doesn’t replace people. It augments them. We don’t have a brain in a vat yet, and we may never. We can make our people more efficient and we can automate away some of the more menial tasks. We may even be able to use machine learning to compute an analysis that a human would take millennia to do manually, or could not do at all due to complexity. But somewhere along the line a human will be needed to do the rest. In addition, the more that we automate the easy tasks, the more complex and demanding the remaining tasks will be.
In addition, people must be skilled and experienced. What is frequently overlooked and underestimated is that they also need to be motivated. To throw in another quote, this time by Socrates, “A disorderly mob is no more an army than a heap of building materials is a house.”
As an example, many organizations believe that their network security engineers will be sufficient to also conduct threat monitoring and incident response. Yet the required skills are very different, and not transferable. A good analogy is the difference between an airplane mechanic and a fighter pilot. The mechanic may be able to fly the fighter jet in an emergency, but you wouldn’t want to send him into a dog fight. That demands a different set of skills and expertise.
The typical job ad for a security professional outlines a random assortment of certifications and skills, primarily based on the technologies that a company has inorganically acquired and deployed and a diverse list of security requirements. The person should preferably be certified as a CISSP, and because he should also be able to execute penetration tests, must have a CEH as well. The person should also be cheap, and willing to work in a junior role, resulting in over-qualification by design.
Like the smallholders’ mythical egg-laying milk wool pig, this motley assortment of skills is rarely found in a single person, and some are even contradictory. There is no mythical cyber security super ninja who will work for peanuts. And there is no such a thing as a “Security person”, much like there is no such thing as a “Business person”. The predictable result is that junior roles are left unfulfilled and many candidates exaggerate or lie about their experience. It has also resulted in a security certification industry composed of diploma mills, with every vendor offering their own certifications. We have replaced domain experts with product idiots.
In a market where demand outstrips supply, this approach especially yields little success. Unrealistic expectations will always lead to disappointment. Scarcity and luxury together result in a high cost. If you can’t afford this cost, you must compromise or get creative with alternative solutions instead.
Acknowledging that a firewall expert is a firewall expert, and his skills are transferable from one firewall product to another is a right step in that direction. Understanding that a firewall expert is rarely also an expert in application security is another one.
To fulfill all the requirements that modern cybersecurity demands, this means that enterprises need to hire for a more diverse skill set across a security team, rather than trying to find a super ninja who can plug all gaps. It also means that the focus must be on security domains, rather than specific product knowledge. Plugging any remaining gaps with external service providers will also work better than trying to find a single person who can do everything and knows everything, except his market value.
Cybersecurity technology can act as a force multiplier, automating menial and trivial tasks, but this still requires a force to multiply. And while technology can make challenging tasks easier to accomplish, it doesn’t accomplish them for you. That still requires people, and will for some time to come.