Chief security officer at Adobe, overseeing all security-related decisions and investments across the company.
getty
In the early cybersecurity days, working as a professional strategist was viewed as a part-time endeavor, with these skills often put on the back burner for other corporate priorities. These skills and roles have evolved to the point where companies are building sub-teams of IT specialists, which lead to larger teams of IT gurus. More recently, security has earned its rightful seat at the table as a key business partner.
Continuously changing cyber threats and more advanced adversaries highlight the need for a comprehensive, balanced security team that can showcase both offensive and defensive efforts.
It’s The Sum Of Its Parts
The security field has become a thriving landscape for many roles. Each area of this field is crucial and requires its own unique set of skills, all of which complement each other. These areas include the following:
• Offensive: This area includes red team initiatives, vulnerability intelligence, application security, bug bounties and pen-testing. The process begins with offensive teams identifying potential adversaries and handing off those findings to their defensive counterparts.
• Defensive: This area includes a security operations center, security engineering, threat intelligence, incident response, threat hunting and tools development. The defensive team provides the offensive team with assets to feed into their systems, which they can leverage to fine-tune their detections.
• Governance, Risk, And Compliance (GRC): This area includes program governance, risk management, maturity ranking and compliance functions. In tandem with other teams, the GRC team continuously sources their success and maturity models to gauge needs for potential improvement across the enterprise.
• Delivery: Security project management offices (PMO) have several levels of specialists, including security partners, project/program managers and risk managers. The delivery team utilizes offensive, defensive and GRC findings to track and enforce service-level adherence (SLA).
In practice, this coordinated and collaborative process involves red teams constantly running live operation campaigns to simulate real-world adversaries, leaving incident responders wondering whether they’ve discovered a hacker or a red teamer. Top potential vulnerabilities should be tested by security researchers to determine real-world leverage potential, adversary intelligence automation and tooling catalogs to define attack vectors for red team campaigns. This feeds to application security developers’ prototype findings and should be mapped against feedback from bug bounty partners, red teamers and intelligence feeds.
This iterative wheel lets groups hand off their findings to the next, maintaining a constant balance between program components and verticals.
The Best Defense Really Is Good Offense
World-class security programs that successfully cover enormous attack domains are able to catch potential gaps quicker. These are often the most successful teams because they focus just as much attention on building out their offensive security capabilities as their defensive capabilities.
Not utilizing an offensive security team can lead the defensive team to only explore “what if” scenarios that security vulnerability scanners provide. In essence, they’re left doing double the work by risk ranking vulnerabilities while also trying to defend against attacks. This makes them slower to catch vulnerabilities and can lead to burnout.
Teams need to get on the field and scrimmage with both offensive and defensive strategies to ensure continuous innovation. In the end, leaning purely on automated tools designed and built by penetration-testers and scanning for potential misconfigurations and targets can take weeks, whereas adding offensive aids to find potential vulnerabilities will make things move much faster.
Balance The Culture
Balancing offensive and defensive security programs can dramatically shift a company’s culture if the right plans are in place. Offensive team members should be given the freedom to explore and identify vulnerabilities that have a high likelihood of being leveraged in the real world. Culturally, this creates an environment where defensive teams stay vigilant and can exercise their incident response chops.
This strategy also opens significant career opportunities for your team, as defenders can transition to attackers, attackers can become app security developers and penetration-testers can become defenders. Training should also be built into the process, as offensive and defensive teams can work together to explore how each offensive campaign played out.
It can be very rewarding when a red teamer is caught or a potential threat is identified, especially when the time to detect and defend against that threat is also reduced. Investing in a balanced program improves security overall and shifts your team culture to a more gamified environment that’s fun and rewarding.
Scoring Is Good, But Dialogue Is Priceless
When gamifying and balancing a security program, you need to keep track of how well you are doing, which can seem like a daunting process.
No doubt, security metrics and dashboards are useful, but I’ve found that keeping score is less important than the process of scoring. Scoring helps leaders see their peers’ challenges, exchange ideas and improve collaboration — all of which will lead to better solutions. It’s nice to have a score that tracks improvement over time, but it’s really more about having a productive discussion and recognizing growth opportunities or warranted high-fives.
In the end, trying to find the balance between offensive and defensive security is not easy, but the benefits can pay dividends. Security key metrics are an important part of rating the maturity of any program, and it’s important to establish those scores — but they are worth far less if not accompanied by dialogue. Tailoring reporting metrics to match the specific goals and needs of your team can help them flourish and establish foundational benchmarks that improve your overall business strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on LinkedIn. Check out my website.