With the increased demand on remote working and connectivity due to the coronavirus, the role of an internal security operations team is becoming increasingly challenging. Teleworking and the volume of data, number of systems, complexity of networks and sophistication and capability of the adversary have increased faster than our capacity to respond.
With many organisations being forced to bench any contract staff, security operations teams are often overloaded, under resourced, and jumping from crisis to crisis. Articles and presentations have started to capture this concerning trend.
Each day can seem like walking through the egg room scene in Alien. Any moment, the next face-hugging threat can burst forth and attack.
The tricky challenge is to balance the need to apply business context to security events and controls whilst leveraging external capacity and skills, introducing automation for efficiency and reducing monotony for internal teams through outsourcing repetitive or generic activities.
Here are some suggestions to consider when filtering and prioritising security issues as they arise:
What is the potential real business risk or consequence? and who (and how many) will be impacted. This requires an understanding of not just the number of Customers in a given system but also the type of service and business conducted (e.g. Private banking)
How long has the security issue / vulnerability / event / threat been present, and has the impact grown, stayed the same or decreased? A new, fast growing threat may need to be addressed more quickly due to the lack of established controls and potential for evolution.
What is the point of decision / action and when must it be made? (and by whom) This is especially important to know. Some decisions can and should be made long in advance of an incident. Asking each system / service / information owner to agree on the conditions for 1) Declaring a security incident (e.g. compromise of a single account vs website defacement), and 2) Conditions requiring immediate quarantine or shutdown.
Are we equipped (Capacity, Skills, Tools, Services, Organisational Mandate) to address the issue? No orchestral conductor would perform without a good understanding of the music he is making, the capability of his musicians and the instruments they have, so too is the need for security teams to have a plan, access to (and competence with) the right tools and external services.
Are there larger controls that we can or should leverage (e.g. DR, BCP, etc)? Sometimes response is much larger than just the security component and will require organisational coordination (e.g. HR, Legal, PR, Contact Centres etc).
If we have high volume and low impacts for a particular event (e.g. Phishing) - can we create playbooks or leverage automation (Response and Recovery)?
If we have low volume and high impacts for a particular event (e.g. DDoS) - can we leverage defensive (Preventative) controls?
Have we considered long running or concurrent incidents? e.g. having shifts or delegated working groups?
As an important side note, the issue of mental health and PTSD is serious and affects many people. If you or someone you know needs support take a look at Beyond Blue.
If you would like to talk to us about services to reduce your stress and effort in managing cybersecurity - get in touch.
Author: Clinton Smith