Five questions to ask about security people in a world saturated by security tools

By R. Greenwood, Security Strategist, Carbon Black

We use tools every day to do our jobs.  We lose sight of this in our hectic lives with all the noise around us, but we need to consider that tools are used by people, and some people operate tools more efficiently than others.

This is not an indictment of the people or the tools, rather it’s a reminder that a tool is only as good as its operator.

A recent article from US-CERT provides guidance to CISOs around good security hygiene. One of the items that stood out in the best practices was item six on the list: ‘Retain good quality people.’

In my view this should be number one on the list. Why? Because all the other items relate back to the people who are either administrators in the environment, or using tools. As vendors and as customers, the human element gets lost.

One of the biggest mistakes we see happening is that the people get overlooked or there is an over confidence in their skills.  We have to remember that the tools will only ever be as good as the people using them. 

With the best tools in the world, if the operator does not know how to use them properly, their value will never be realised. When this happens, an organisation will quickly find itself in a cycle of wash-rinse-repeat evaluations of tools. This can cost time and money, both of which are in short supply for most companies.

So next time you evaluate different tools, take time to evaluate the people using those tools. 

Does this mean you don’t have faith in the people you hired? No, but it does mean you should check what they are capable of before a situation develops into a time of need.  Would you buy a motorcycle for someone who has only ever driven a car?  Could they ride it?  Probably, but would they get the most out of it? Doubtful. The tools you invest in are no different.

So how much do you invest in your people?  You might be willing to spend a lot of money on tools yet very little on people, outside of compensation and benefits.  We all know there is a skills gap and when you do find good people it can be hard to retain them. 

While this seems like common sense, the problems still persist. Worse, there continues to be a mindset that tools can make things easier. Yet ease of use is relative to the operator of the tool.  A skilled operator will get the value out of the tool, where a partially skilled operator will get only a percentage of value but likely cost more money in the long run.

So remember item six on the best practices for CISOs – find and retain good talent.

Security operators are as critical as having CPAs in accounting, MBAs in finance or other high-priced specialised people running an organisation. The failure to spend and retain talent can likely result in costs far exceeding paying upfront - just think how much a breach costs. 

Additionally, keep your people active and keep them trained.  Finally, when you bring in tools for evaluation, also evaluate the team using them. Are they more interested in ease of use vs. value to the organisation?  If so maybe you have a skill problem rather than a tool problem.

Here are the five things to think about:

  1. How much training, outside of tool training, do you offer?
  2. Outside of the day-to-day job rigours, what do you do to keep your team’s skills sharp and minds engaged?
  3. Do you know what motivates your people? (hint: it’s not always money.)
  4. What keeps people at your company?
  5. When testing a tool, do you test your people too?’

Score five out of five and you will sleep better at nights!  Otherwise you might be in for nightmares!