When a CISO joins a new company, they will typically inherit a sizeable security stack – a portfolio of solutions that grows with the arrival of every subsequent CISO. Indeed, a recent report found that the average CISO has to contend with more than 50 unique security tools.
Determining which solutions that they possess and where they’re protected or not can be a resource-intensive process. Until this audit is complete, CISOs are blind to the gaps in their organization’s armor. While auditing an organization’s security stack may be complicated, it is possible to categorize technology solutions, benchmarking and measuring their features and performance.
Conducting a similar audit of an organization’s security team is far more difficult and nuanced. Identifying whether a company has a security skills gap isn’t as simple as ensuring there are enough employees with certain job titles. When attackers are constantly updating and changing their methods, it’s vital that a company’s security team can keep pace. Measuring an organization’s cyber skills, then, is as important as measuring the health of its security stack.
The right mix
Fully protecting an organization’s attack surface isn’t easy. Just as there’s no single type of attack vector, there’s no single type of security expert; for example, a web security specialist might lack knowledge digital forensics knowledge.
Labeling someone a “cybersecurity expert” therefore doesn’t do them any favors. At best, it’s a generalization that could limit an employee’s progression; at worst, it could put the company they work for at risk.
CISOs understand this. They appreciate the broad scope of work involved in ensuring an organization’s cybersecurity. After all, at some point in their career they’ll have had first-hand experience of a DDoS attack; they would have had to deal with the paralysis inflicted by ransomware, or been called on to minimize the potential damage of a data breach. They know only too well that what matters most to an organization’s security is the experience and expertise that lie behind such vague job titles.
As a result, CISOs will want to ensure they have the right mix of appropriately skilled people on their team, and they will want to ensure that, in an environment where methods of attack are continually evolving, there are no gaps in that team’s knowledge and skills.
Training and measurement
Cyber-criminals are extremely innovative when it comes to devising and deploying methods to bypass the latest security solutions – often as soon as those solutions are released. Security professionals must therefore be given the chance to continuously hone and update their skills if they’re to keep up with the emergence of new threats.
However, ensuring security teams develop the skills they need to be more effective is only one aspect of efficient training. It’s just as important for CISOs to identify and measure skills as they’re acquired, and to understand how those skills best align to their organization’s security strategy.
Spotting skills at a glance
The MITRE ATT&CK framework, a comprehensive, structured matrix of real cyber-attack techniques, tactics and procedures used by threat hunters and defenders to help recognize attack types, provides CISOs with much-needed visibility into their team’s skill base.
The framework enables organizations to select a specific attack technique and then, by analyzing their defense, highlight any frailties and expand their security controls as appropriate. Essentially, it helps CISOs to spot any problems that require quick remediation.
Using a matrix of skills aligned to ATT&CK techniques and tactics, though, enables CISOs to see, at a glance, where their organization has strong coverage and where it lacks human expertise. This approach makes it possible for CISOs to quickly identify those individuals whose skillsets makes them ideal to respond to particular incidents.
By the same token, it also helps to highlight those employees whose skills require further development.
With the size, scale and sophistication of cyber-attacks growing at an unprecedented pace, CISOs have never been under more pressure to ensure their organizations are properly protected. Measuring the effectiveness of a digital cupboard full of different solutions is an essential – if unwelcome – step toward closing any gaps in coverage.
Gaps in a security team’s skills and knowledge must be closed too. This will be impossible, however, if no-one knows where those gaps are.
By mapping employees’ skills against ATT&CK techniques, CISOs can enjoy a reliable measure of the “health” of their security team – a health check that could prove invaluable in the face of an attack.