Within the span of six months in 2017, CISO Eric Schlesinger watched his company Polaris Alpha balloon from 150 employees to 1,500 workers after three companies merged and three more were acquired. Schlesinger faced several daunting challenges, starting with being a prime target for cyber attacks because the company provides mission solutions to defense, intelligence and security customers, including the federal government.
“Part of that rapid IT integration comes with inherent risks. When it goes so fast, sometimes security wasn’t necessarily keeping up with the pace of IT,” says Schlesinger. How could he take six different companies, with six different networks and security teams and create a single, dedicated security function that could partner and scale as the Polaris Alpha network was being scaled out?
Like most small to mid-size firms, the acquired companies had relied on investments in tools for their cybersecurity. But integrating multiple tools from six companies wasn’t going to work.
“We realized early on that tools were just part of the investment, but not the ones driving our security,” Schlesinger says. “It needed be based on the people, methodologies, workforce and processes that would allow us to scale from 500 to 1,500 people, and now to the 15,000 people we have today with Parsons acquiring us [in May 2019].”
You need a strategy
Schlesinger spent the first months wrapping his arms around the new organizations. Did he have the right people? What were the tools that were there that could be repurposed?
Next, the company’s integrated network security team adopted a standard US Department of Defense (DoD)/Defense Information Systems Agency (DISA) model and applied it to the processes used by the company to defend its corporate network. “It creates a workforce structure that is clear on how that ecosystem has to work, and gives individuals a very clearly defined purpose, and clearly defined procedures and workflows,” he says.
While this mega-merger represents an extreme case of scaling a security organization, most organizations still need the ability to scale security quickly, and not just due to M&A, new business innovation or new ways of interfacing with customers.
“We’re in a very highly interconnected world with a vast, constantly changing and growing attack surface, which makes the scope and scale of what you’re trying to do from a cyber standpoint ever-growing,” says Emily Mossburg, cyber risk advise and implement leader, and principal at Deloitte Risk and Financial Advisory.
CISOs and security consultants offer the following tips for organizing your security operation to scale.
1. Create a ‘battle rhythm’
The adoption of the DoD model created a “battle rhythm” for Schlesinger's team and shifted their work from reactive to proactive. The joint security operations center (SOC) now has four “quadrants” — Protect, Detect, Respond and Sustain — with two full-time network defenders assigned to each one.
In the Protect quadrant, analysts handle risk assessments and vulnerability management.
Analysts on the Detect team look for indicators of compromise via alerts or by manually checking logs, looking for anything out of the ordinary.
“Within the first 15 minutes, if they believe it’s something bigger that needs to be responded to, then they send it over to Respond team,” Schlesinger says. The goal is to move the compromise up the security chain quickly so the Detect team can continue looking for additional problems – as bad guys often use a smaller event as a diversion tactic for a bigger compromise while the security team is preoccupied. Respond analysts then take all necessary actions to stop the threat.
“Getting the Detect function correct — to find, document and move it – is critical,” he says. “If we’re not getting that right, we’re not closing our security gaps.”
Finally, the engineers on the Sustain team support those three functions and ensure that all the tools and infrastructure are maintained and running.
Of course, all the traditional security tools — endpoint protection, intrusion detection and prevention, data loss prevention, traditional firewalls — are being used, but the most critical investment Schlesinger made was in its security incident and event management (SIEM) tool. “It’s a single pain of glass as we we’re collecting all those logs and ingesting them and making decisions on whether we have a point of compromise and whether we need to respond to it or not.”
Parsons acquired Polaris Alpha in May, and the new network defense model is being adopted as part of the workforce structure inside Parsons’ corporate security team. “Parsons' network is 10 times bigger than Polaris Alpha’s, but by having sound processes and methodology coupled with the right tools, I don’t need to double or triple the size of the team,” Schlesinger says.
2. Pare down tools
Kevin Richards was Accenture’s global lead of security strategy when he helped reorganize and scale the security operations at a pharmaceutical company that acquired another pharmaceutical company, which had been spun off from of a third pharma that still had ties with some of its services.
Complexity is the enemy of good security, says Richards, who is now managing director and global head of cyber risk at Marsh LLC. “We all agreed that we can’t have three SIEMs and four antiviruses and three different identity management products,” but each organization had its own vendor preferences. “We wanted common, global, simple, so when we got down to two to three competing products, we just got in a room and had to pick.”
The combined team eliminated almost 60% of the security tools they used. A side benefit: the reduction in tools freed up more than $1 million from multiple, redundant licenses, Richards says.
3. Repurpose people
As part of the acquisition, the parent pharma created a new hierarchy that would align better to the new business, which created a lot of new product areas and regions. It also gave Richards the opportunity to revamp the security team for the future — without losing any cybersecurity staff, except for one of the two CISOs.
“Everyone got assimilated in, but they weren’t necessarily in the same role,” Richards says. For example, “We didn’t need two heads of SecOps, so one took on an architecture role, and one took more of an operational role.”
They also created some new roles, including a cyber innovation lead “who plays with new technologies and figures out how we could leverage those in our new construct,” Richards says.
They also created a new position around government and regulatory relations “to have a better hold of all the new data protection and privacy regulation requirements worldwide” in the pharmaceutical industry as the company expands its footprint globally.
4. Consider outsourcing
The growing breadth and scope of cybersecurity can often outpace the capabilities of many organizations. Those companies should consider new channels for closing security gaps, including third-party security providers, Mossburg says.
“Just like many organizations decided they didn’t necessarily want to maintain all of their networks and infrastructure, I think we’re starting to see that same awakening around cyber,” Mossburg says. Using contractors, or outsourcing entire capabilities, can be more efficient and often can deliver at a higher service level.
A 2019 Deloitte survey on the future of cyber shows that organizations are willing to rely on third parties to help address security gaps. Nearly two-thirds of CISOs (65%) outsourced 21-30% of their cyber operations. The top cybersecurity functions outsourced to third parties include vulnerability management functions such as attack surface reduction, threat hunting and threat intelligence, training and awareness, insider threat detection and application security.
Many organizations need a little bit of help in a lot of places, according to the report. To develop a well-rounded cybersecurity program, organizations should partner closely with suppliers, industry associations, governmental agencies, academic institutions, researchers and other business partners.
5. Involve the entire organization
In order to detect and stop cyber attacks as they grow, the security organization needs the rest of the enterprise to help. “It cannot operate by itself,” Mossburg says. “Educate, train and drive awareness and some level of accountability related to these risks outside the boundaries of the [security] organization.”
All of these steps require a healthy relationship between security and the business, Schlesinger says. “Sometimes you have to isolate the team because they’re dealing with sensitive information, but we are a customer service organization. We don’t want to be the ‘business prevention department,’ just saying no, but educating people and supporting the needs of the business,” Schlesinger says. “Tools come and go. Invest in people.”