The global shortage of cybersecurity talent shows no signs of abating, making it harder than ever for smaller businesses to compete for qualified talent. But even if prospects were available and even if you had unlimited budget, throwing resources at the problem would not be the best way to address your security challenges. Instead, we recommend coordinating your limited resources and rethinking security as a shared mission for the entire organization rather than a discrete department.
If you’re facing limited resources and security talent, you can still run secure by following best practices for getting the most out of what you do have. Here are four or our recommendations for running lean in the cloud.
1. Create a Culture of Security
“If you see something, say something.” Just as transportation security relies on passengers to speak up when they spot something suspicious, organizational security benefits from empowering all employees to identify and report anomalous activity. As we have written previously, implementing a security awareness program is an excellent way of educating all employees, from entry-level to executive, about security issues, thereby transforming potential weak links into security ambassadors.
To be effective, you need to make security training an ongoing process, continually keeping employees apprised of best practices and reminding them of their responsibility to apply them. It is also important to tailor training to specific roles, since the threats leveled at developers, for example, are generally quite different from those your marketing team or sales force may encounter. A good security awareness program also requires a simple means of allowing employees to communicate and receive information about potential threats (e.g., a dedicated Slack channel). Creating this type of organization-wide approach to security can significantly bolster your defenses, and the approach is particularly helpful when you lack the resources for a dedicated security team.
2. Build Security Into Daily Processes
Readers of this blog are familiar with our evangelism on applying DevOps practices to security, and this approach is highly relevant when you don’t have the option of hiring additional security team members.
How does it work? Just as organizations have increasingly “embedded” DevOps into cross-disciplinary teams rather than keeping development and operational practices isolated in separate departments, security should be integrated into the daily processes of every team and department.
This is probably most relevant for development and operations pros, since a DevOps culture that doesn’t have security built in slows down releases because additional time needs to be added to the total development cycle so security issues can be dealt with. If security is not integrated at the outset, it will either be left out altogether or will be added on at the end, thereby undercutting a key competitive advantage — speed to market. This is especially important on teams that must run lean by necessity.
3. Automate Wherever Possible
One of the best ways to use human resources wisely when they are scarce is to optimize what they are spending time on. In the world of security, this means automating as many time-consuming and routine tasks as possible, so humans can focus on more strategic work.
Manual threat hunting and analysis is time-consuming and prone to error. It can also be boring, and can therefore burn out employees. Automating routine security tasks, on the other hand, leaves your people available for the important work of analyzing and responding to attacks, allowing them to do their jobs more quickly and accurately. In our view, using a comprehensive platform for security monitoring and intrusion detection is one of the fastest, most scalable ways to upgrade your security posture while making the most of limited resources.
4. Hire Smarter
If you’re having difficulty finding security talent due to budget limitations or simply because there aren’t enough candidates to go around, consider getting creative in your hiring efforts. For example, recent college graduates can quickly become valuable team members with the right training — and they’re available at a fraction of the salary a security veteran commands. Building a strong pipeline of candidates through a paid internship program is also an effective way to future-proof your business against the security talent gap. For additional tips on sourcing security talent, check out our blog post Where to Find Security Talent and How to Keep Them Happy.
Another rich resource for affordable talent stems from the boom of online learning courses (MOOCs) and specialized training platforms like General Assembly. Connecting with online and local educational organizations can be an effective way to scout security candidates who are up to date on current issues and technologies.
A third alternative is “hiring” from within. Faced with the exorbitant cost of security “experts,” many companies have adapted their talent search to identify internal prospects who are currently in tangential roles like customer support or operations. This approach dovetails nicely with the practice of making security a company-wide practice. If you create a culture of security at every level, in every department, you reduce your current need for expertise while grooming the potential security specialists of tomorrow.
Final Words . . .
Smaller organizations are always scrambling to identify effective ways of using scarce resources. When it comes to ensuring the security of your data and systems, there is really only one path to follow. Rather than provide limited or incomplete security, a proven best practice is to develop a lean security strategy that distributes security functions throughout your organization and maximizes the effectiveness of all of your resources.
For guidance on how to build a successful security program using lean security principles, download our latest eBook: Lean Cloud Security: Your Guide to SecOps Efficiency in the Cloud.
Lean Cloud Security
Learn how you can make the most of your people, processes, and technology.