www.fncyber.com Open in urlscan Pro
2406:da18:880:3800:3cf7:d90b:9468:f4a6  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * About Us
 * Disciplines
 * Resources
 * Partners
 * Contact Us

Open Consultation

--------------------------------------------------------------------------------



About Us

--------------------------------------------------------------------------------

DisciplinesCyber AwarenessVulnerability ManagementThreat Response
EngineeringIntegrated Risk ManagementCritical Infrastructure

--------------------------------------------------------------------------------

ResourcesArticlesCase StudiesArchives

--------------------------------------------------------------------------------

Contact UsOpen Consultation



ENTERPRISE SECURITY REQUIRES A GOOD TEAM


OPEN-CISO





ENTERPRISE SECURITY REQUIRES A GOOD TEAM

Due to the threat of breaches, data leaks, ransomware, Denial of Service, and
many other modern cyber threats, companies today invest more than ever in
cybersecurity. Instead of just throwing money at the security team and hoping
for good results, It is worthwhile to consider investing in building a security
team and managing for benefits beyond the annual operating expenses of a
company. Security will only have an impact if planned smartly. It can be a
challenge because security makes 'invisible' money in the form of funds that you
don't lose. Who knows how much you would lose in a ransomware attack - but with
a good security stance, you'll never know for sure. That can make it hard to
gauge how much you see in returned investment, and it can make it hard to
measure what a security team offers to your enterprise's security posture.

So start with gaining visibility into the security posture and use this
step-by-step guide for an effective security team and quantify how it affects
the overall enterprise security posture.


STEP 1: BUILDING A TEAM

Before you even begin to hire - what roles should you be hiring for? Here is a
list of typical security team roles and what they do:

Security Engineer - Someone specialized in the security aspect of an otherwise
conventional engineering profession. E.g., a software engineer, DevOps
professional, etc., who specializes in security

Pentester - An ethical hacker who uses the tactics of cybercriminals to find
vulnerabilities in your networks before the bad guys do

SOC Analyst - Security professional who reviews logs and network activity
staying vigilant for anything possibly malicious

Forensics - A specialist in reverse engineering who can figure out how attackers
got in, recover data, and find things that are meant to be hidden

Of course, there are many other specializations, especially at an enterprise
level, but these are nearly universal roles you'd expect to see in an enterprise
security setting. If you are missing any of these, consider meeting with a
manager from the security team to figure out why. The odds are, they'll already
be aware that this is an issue and be happy you care about it.

Hiring security pros works just like hiring any other engineering hire but with
two significant caveats: word of mouth is way more critical, and Hacker News has
monthly hiring threads that are full of hidden gems waiting to join your team.
So if you're having trouble finding the right professionals, consider asking
your current security team if they know anyone suitable who's open to joining
your team. And if that doesn't work, consider posting in the monthly hiring
thread on Hacker News.

Interviewing security pros is easy - hands-on. Show them an accurate (but not
sensitive) log or code, and ask them to explain what it means or find
vulnerabilities (depending on the specific role). Of course, you should have
your security team with you for such interviews. They'll be able to assist you
in evaluating the quality of the candidate's responses. But the key to remember
is that the interview should be based on practical, realistic tests, not just
theory.


STEP 2: INTEGRATING SECURITY TEAM INTO THE COMPANY

The first step is a trial by fire. Let the security team do a full penetration
test of the company. This is a good idea for finding issues to work on and
thereby enhance your security posture; this is the absolute best way to
introduce the team to every part of the company. You don't want dark spots in
your threat model, and a pentest is the perfect way to bring the dark spots you
currently have to light. And considering the love security professionals have
for so-called 'red team' operations, this suggestion will probably be well
received by your team.

After the pentest, you'll want to organize regular meetings between your
security team (not just the manager!) and critical team leaders throughout the
company so the security team can ask questions and probe into possible weak
points. This will also help the team figure out what they will and will not need
access to. You'll want to adhere to the principle of least privilege. That means
that you don't give them direct access to anything unless you have to.


STEP 3: SUCCESSFULLY MANAGING AN EFFECTIVE SECURITY TEAM

What even is effectiveness in a security team, and how can you as a leader
measure that? Because of the nature of security teams, the best standard we have
for their performance complies with industry best practices. Are they running
regular internal pentests, a public bug bounty program, code reviews, a Security
Operations Center, and other fundamentals of good enterprise security? If not,
talk to them. Sometimes, a specific company has good reasons to change the
generic formula to meet the business's unique needs. But you should find out if
that's the case. Assumptions are the enemy of good security.

Once you've determined that you can measure your team's effectiveness and begin
to do so, you'll inevitably run into budgetary concerns. How much to pay for
security? It would help if you were generous with two elements: salary and tools
for engineers. That's it. By not being stingy with salaries, you can attract top
talent, which has multiplicative effects on the productivity of everyone on the
team. As the famous security engineer Guy Alfs said - five-strong engineers can
get more done in a day than fifty weak engineers will do in a week. And those
great engineers will need state-of-the-art tools to get their jobs done
efficiently and be happy. So spend more on this upfront, and you'll spend a lot
less on everything else.

But what about big expensive third-party security tools that promise to give me
10x coverage, 365? Be skeptical and cheap. Not all of these tools are a waste of
money, but most of them are. Talk with your engineers to find out what products
are saving money and stick with those. Cut the rest from the picture entirely.
That applies to your team too. No one wants to be the bad guy, but if some other
employees are underperforming according to these standards, make the hard
decision early and let them go. Instead of investing a little in mediocre
talent, invest in the overperforming engineers you still have. Be grateful to
them, and they will be loyal to you.

Management is not easy. Most people want the certainty and comfort that comes
from following a great leader. On the other hand, being a leader means being the
bad guy when budget cuts inevitably come knocking at the door. But those hard
decisions are what separates leaders from everyone else, and as a manager,
people look to you for strong, confident leadership. None of the above steps are
easy, but if you have the courage and resolve to stand up and implement these
principles in your enterprise security department, your team will be happier,
and the company will be orders of magnitude safer as a result.

At the End - Only People and Practices Matter


RESOURCES

ARTICLES

Security Strategy and Intelligence - Practices and more

CASE STUDIES

Realworld Business Challenges - Keep it Targeted and Simple

ARCHIVES

Infrastructure Security - What makes it so critical

Cybersecurity is best when seeded into Business Functions. fnCyber™ assures you
Direct and Uncomplicated Cybersecurity Consulting.

Open Consultation



CONTACT US

GET IN TOUCH


one@fncyber.com

Level 1, Salarpuria Knowledge City, InOrbit Mall Road, HITEC City, Hyderabad,
Telangana 500081 India

FOLLOW US ON SOCIAL MEDIA


@fnCyber

@fnCyberSecurity


--------------------------------------------------------------------------------

About Us
Open CISO Program
Contact Us
Disciplines
Critical Infrustructure
Integrated Risk Management
Threat Response Engineering
Vulnerability Management
Cyber Awareness
Privacy Policy
Cookie Policy
Resources
Articles
Case Studies
Archives
COPYRIGHT © 2022 FNCYBER, INC. ALL RIGHTS RESERVED.
For information about how we collect, use, share or otherwise process
information about you, please see our privacy policy.