30 Jul

Lessons Learned from a Cybersecurity Review

The past week presented me with a neat opportunity. I was asked to assess a so called “Cybersecurity” plan of action for a small organization which has a strong internet presence but little internal expertise in the way of IT operations and security. When I was initially approached about my expertise on cybersecurity and willingness to review the external assessment for the organization’s president, I was hesitant to describe myself as a cybersecurty subject matter expert or even reasonably knowledgeable on the subject.

To me, cybersecurity has become an ambiguous term, like “hacker”, or “the cloud”. As soon as I see a term like any of these on a resume, I am instantly skeptical of that person’s true skill-sets and abilities.

Once the assessment began, I quickly discovered a disconnect between what the assessment percieved VS what IT Operations stated to be in place. Once I got to the gaps and recommendations portion of the document, a wider disconnect appeared, which is what lead the president of the organization asking me to perform the peer review.

The Management and IT Professional Gap

If you have ever worked in IT Operations or IT Security, I am sure you have noticed certain personality traits many of the professionals possess. Quite a few are naturally very analytical. They are tinkerers who like to learn from trial and error and hands on experience. These professionals often times size up their peers based on witnessing your skills in action as opposed to educational and professional background.

The senior information technology managers who manage these people do not generally share the same personality traits or passions. A good senior manager must posses a completely different set of skills including tact and an ability to look at the organization from a higher level. A good CIO or CSO must also be adept at assessing risk, the political landscape within the organization and the overall condition of the market.

Would you typically consider the whiz IT Operations/Security engineer or the insightful CIO/CSO a “Cybersecurity” expert? While many people on both sides might consider themselves to be, I would argue most would probably not find themselves up to the task of handling a real cybersecurity emergency.

The true measure of any expert is how they handle themselves under fire.

What Qualifies Someone as a true Cybersecurity Expert?

A true Cybersecurity expert needs to understand both sides of the business. This individual must possess a wide breadth of knowledge and experience, both technical and managerial. The true cybersecurity expert should be fairly comfortable with not only assessing but using the very technologies and tools they expect the hands on IT professionals to deploy and maintain on a daily basis, but they must also be adept at seeing the organization from a birds eye view and assessing risks both external and internal.

I have only met a handful of professionals in my career who I would consider true cybersecurity experts. I don’t recall if they all labeled themselves as such or not.

What I Learned from my Cybersecurity Review

The person who prepared the assessment I peer reviewed was definitely well informed and had a few more years experience than me, but I felt he shot high and missed his mark in many areas.

While the review was full of appropriate suggestions like implement policies, access reviews and verify that various safeguards were in place, he failed to recognize the limitations of the resources and budget the organization had at its disposal. He also failed to miss key technical recommendations for systems already in place, that admittedly only someone with IT experience would probably know to inquire about or mention.

I got the impression the assessor followed a popular framework and applied it to the organization, which isn’t necessarily a bad suggestion! Except… that should not be the extent of what a cybersecurity expert does.

With this peer review under my belt, am I ready to start labeling myself as having cybersecurity expertise? Maybe after I survive my first true cybersecurity event and can hold my own with some of the true experts I know in the field I will.

“The more you know, The more you realize how much you don’t know, The less you know, The more you think you know… “ -Ritu Ghatourey

 

Leave a Reply