It's time to step up your InfoSec game

May 2, 2017 | InfoSec Workforce | By Media Admin |
Organizations have two choices: step up their InfoSec game to prepare for the threats of tomorrow, or remain bogged down by traditional modes of thinking that make them susceptible to cybercriminals.

Cyberrisks are accumulating, the threat landscape expanding and the frequency of data breaches increasing. Through it all, organizations remain vulnerable.

Something's gotta give - or rather change.

For businesses, knowing about these risks isn't the problem - it's knowing what to do about them. At this point, cyberthreats are impossible to ignore. As we've seen, particularly in the last two years, enterprises are huge targets. Even some of the biggest, most established companies in the world have fallen victim to major, high-profile attacks. It's not a matter of if but when an attack will occur, and how severe the damage will be when it does. While answers to these questions aren't something businesses are entirely in control of, there are a handful of responsibilities and opportunities they have to minimize risk.

With more information sharing happening than ever, safeguarding our IT systems against hackers will continue to be a challenge. It's not that enterprises aren't advancing their methods, just that we aren't getting better at protecting data quickly or efficiently enough.

Getting around the InfoSec skills gap

It's time to step your InfoSec game up.

Once you pinpoint the biggest barriers and areas of contingency holding your company back, only them will it be possible to take your defense to the next level, rise up and rally against the ever-maturing cyberthreats.

"Given the skills gap, proper InfoSec training is more important than ever."

One of the biggest challenges is the skills gap. Qualified professionals capable of meeting the challenges and demands of today's risk landscape are hard to come by, due, in large part, to the cookie-cutter, one-size-fits-all shape many InfoSec courses take. The broad and generalized form of these training frameworks aren't sufficient in providing individuals the comprehensive, aggressive experience needed for the current cybersecurity climate.

For an industry already suffering from a lack of candidates, letting those who are in the field skirt by without critical and applicable competencies benefits no one - except, of course, the hackers.

The Information Security Forum recently released its Threat Horizon 2019 report. As the organization pointed out, a business's ability to deal with emerging threats hinges on a combination of factor including its people, skills and degree of preparedness.

Given the talent shortage and skills gap, proper InfoSec training is more important now than ever.

The building blocks of better training

Those who prevail in volatile and combative environments, like our current cyberspace, aren't ones to sit back and hope for the best. They're the ones who take initiative in implementing meaningful change, starting with their own organizations.

"We don't rise to the level of our expectations, we fall to the level of our training."

In the wise words of Greek poet and soldier Archilochos, "We don't rise to the level of our expectations, we fall to the level of our training."

If you want your InfoSec team to be the best they can be at defending your critical infrastructure, identifying weaknesses and minimizing risk, their training and development must be continuous, purposeful and strategic. This type of training we're talking about involves four main categories:

1. Threat exposure
You need professionals on your team who are highly trained in threat exposure and emulation. By gaining an understanding of the adversary's methodologies and exploitation techniques, InfoSec pros can conduct penetration tests and identify weaknesses within the network. Comparable to how schools and offices conduct fire drills, staged incidents and simulations allow organizations to see what would happen in the event of a disruption, then identify and resolve any vulnerabilities so they're better prepared for a real disaster. 

2. Defense
This element of training focuses on the tools, technologies and procedures for evaluating and protecting information systems. A good defense helps security members responsible for the development and deployment of incident response plans, risk mitigation and recovery strategies.  

3. Counterintelligence
If there's one aspect of InfoSec training that most businesses today are missing out on, it's counter-infiltration. In combat, whether on physical terrain or in cyberspace, being on the defensive is not the only path to security. Active preparedness is the foundation for protection, which is why arming your team with the know-how to hunt adversaries within a network is critical, as well as pinpointing the behaviors monitoring tools leave undetected.  

4. Development
The final pillar of InfoSec training involves teaching security pros the best methods for using their resources to create and implement tools for verifying system integrity, facilitating configuration and enabling situational awareness.

Businesses must be more strategic in InfoSec training initiatives.Businesses must be more strategic in InfoSec training initiatives.

To compete in the threat landscape of today and keep critical infrastructures protected, businesses must make strong InfoSec operations part of their DNA. They need a stable security architecture, the tools to help maintain it and the professionals who are capable of keeping pace with the rapidly accelerating and increasingly complex environment.

Complacency is the breeding ground for vulnerability. Affirmative, aggressive action is needed to maintain security. Only properly trained teams can deploy this kind of execution successfully.

A paradigm shift is taking place in the InfoSec community, one that enterprises need to participate in if they want to contribute to the solution rather than perpetuate the problem. In this new framework, the skilled workforce is able to not only protect against known threats but proactively defend against unknown adversaries. These teams - and yours soon, too, hopefully- are capable of adapting and adjusting to attack vectors as they surface, as well as identifying and resolving vulnerabilities before infiltration even occurs.

This type of human capital development plan, and InfoSec training that facilitates it, is most effective when conducted by information operations specialists, those who have experience performing in mission-critical roles and are particularly skilled in developing teams and bringing operators from zero to hero.

To learn more, download our whitepaper today.