Staffing the security teams of the future requires discarding the playbook that’s currently followed when hiring defenders. Too often, companies hire people with similar backgrounds, whether it’s someone with extensive IT experience or a career spent setting up firewalls and defending networks. While possessing these foundations is very useful, diversity, stamina and the courage to speak up when something is wrong are some of the characteristics that are just as critical and will only become more important to possess as the threats advance.
Adversaries realize that diverse experiences help hacking operations. To them, diverse teams with different perspectives increase the likelihood of the attack succeeding. To breach a commercial bank, for example, the team will have someone with a strong knowledge of how commercial banks - and perhaps this particular one - operate. They could also be team members with strong technical knowledge on how to hack into IT equipment that’s used by the financial services industry. And, of course, there are experts with various technical capabilities to help the team approach attacks in different ways and switch gears if one tactic isn’t working. This could be someone who specializes in executing malicious scripts using PowerShell or developing social engineering campaigns for infiltration.
Hiring people who went to the same college, worked at the same companies or have the same approach to keeping an enterprise safe means an organization will likely end up with a team that handles security in a similar manner. And if the security team thinks alike, there’s a chance they’ll miss the same security issues.
Look for people who have worked at different companies and have experience fighting a multitude of threats. Don’t shy away from a candidate who worked in different verticals. After all, threats don’t have boundaries based on industries. Consider hiring candidates with military or government backgrounds since they’ll have a totally different view on how to defend a business. People with this type of experience are typically very familiar with nation-state attacks and cyber-crime organizations and understand the inner workings of offensive operations. Enterprises can greatly benefit from security professionals who know how the enemy thinks and can apply that mindset to defending a company.
Security demands endurance
Today’s hackers are - and will continue to be - persistent. Their job, after all, is to constantly launch attacks until one is successful and, once inside a target, ensure the operation remains successful. They’ll launch decoy attacks and use other deceptive tactics to throw off defenders and go undetected in a network for as long as possible.
The good guys need to accept that security is a long game and be equally resilient at protecting their organization as the bad guys are at attacking it. Defenders can’t get discouraged when an adversary makes it past their defenses. This is an opportunity to examine and learn about the attacker’s techniques and use this information to bolster a company’s defenses. For example, if an incident investigation revealed that attackers moved laterally to machines by using administrator accounts, the company could limit who has administrator privileges. Treat a hack like the beginning of a security operation, not the end.
People shouldn’t be scared to bring up potential or actual security problems, even when this means notifying executives about a breach. Sadly, not everyone in the security community shares this view. There’s the perception that mentioning an incident, particularly breaches, will result in people losing their jobs. Additionally, figuring out how to add more security to a product is sometimes discouraged, particularly with developing consumer IoT devices, since incorporating security is equated with hindering product development and sales.
Ultimately, not addressing security concerns only makes an organization less secure. The longer a breach goes unreported, the more data the attacker can exfiltrate. And when security isn’t incorporated into a product from its initial design, the result can be a massive DDoS attack powered by IoT devices that impedes Internet usage globally.
Follow a different script
Strong IT skills or experience with traditional security applications are advantages for someone pursuing a security career. But in the future, protecting organizations will require diversity, stamina and outspokenness. Professionals who and companies that realize this now and discard the skills playbook they’ve been following when it comes to assembling a security team will be best suited to handle the advanced threats on the horizon.
This post was originally published at the RSA Conference Blog