When it comes to staffing in security, I think the most dangerous thing is the generalist. Generalists have a little bit of knowledge about a lot of things, but they’re not able to provide deep analysis anywhere.
So if you’ve got someone who’s got a little bit of background in network security, and a little bit of background in app security, and a little bit of background in operating systems, when it comes time to analyze data across those different platforms, you end up with someone who can give you a very general view of risk. I think you need experts in a security department in order to ensure that all of the areas of risk that you focus on are well covered.
I like to organize my different departments along operational security domains and be able to take those domains and build specialists within them. So, for example, we have a cloud and architecture team whose responsibility is to develop the standards by which the cloud operates to ensure we never have a misconfiguration or poor setup issues in our cloud environments.
To be in that role, those folks have to have a deep understanding of the cloud. They can’t be security generalists.
I think specialists are very important, and I think the organization of a department across domains is also very critical. And you can do that with just 13 or 14 people in a strong security organization that’s a public company or enterprise. That baseline number allows you to have specialists in each of the key domains, offering a good level of protection against the various threats that come from those different domains from a practical, operational standpoint.
Smaller businesses need less, and should focus on aligning with the best possible external partner if it doesn’t make financial sense to invest internally. You can also lean on a trusted organization like CISOs Connect to network with other folks and benefit from their insights and experience. But if you go with a vendor, pay attention to the depth and breadth of that company’s bench, the organization of its departments, and the specialists that they have on staff to understand how they would segment and complement your security program.
In football, you have a 53-man roster. The reason for a 53-man roster is because the average human being can’t play for four hours straight. They need backup. I would say the same is true of security departments. A security department might not need 53 players, but it does need offensive players, defensive players and specialty people.
The offensive people are the folks who are going to be responsible for keeping everything in front of the department, by educating users and customers, and investigating threats. The defensive team focuses on penetration testing and the infrastructure, making sure bad things don’t happen, and that people get access to what they need and nothing more. The specialty folks are your technology risk managers who are looking at your vendors to ensure that your third parties don’t increase your risk. They’re responsible for your disaster recovery, and your physical security, too, since we have to worry these days about active shooters.
It’s also important to have some level of redundancy, because you never want to have one person responsible for everything.
So even without 53 players, the overarching principle is the same as in football: In building your roster, you need to build with intent.