Four Years in Europe: Lessons in Cybersecurity
A recent week-long trip to Europe provided an interesting perspective on how much the state of cybersecurity sentiment in European companies has changed.
As part of my job, I have been regularly visiting European customers and prospects since the spring of 2014. On those trips, I’ve had meetings with individuals who hold a range of titles – hands-on-keyboard security analysts, security operations center (SOC) managers, heads of information security and Chief Information Security Officers (CISOs).
Our early forays into the European market began in Germany and targeted enterprises with 5,000 to 10,000 employees – in other words, not the largest enterprises with 50,000 or more employees. In the Germany of 2014, most of the companies I encountered had a relatively immature security practice that consisted of an array of preventive technologies.
Next-gen firewalls were all the rage, and there was a strongly-held belief that preventing the majority of bad things was desirable (agreed!) and that what would get through would not do material harm (wrong!). Most didn’t have a SIEM, hardly any had a SOC (internal or otherwise) and the idea of employing analysts whose job it was to look at warnings issued by their security products was completely foreign to most of them.
Four years have made a huge difference in the perspectives and mission of German mid-size enterprise security teams. The General Data Protection Regulation (GDPR) that went into effect in May of 2018 certainly has contributed to the change.
While Germany famously has strong workers’ councils (Betriebsräte), its mission has been to protect the rights of employees, and in discussions with security teams an employee’s right-to-privacy would definitively be considered in-scope.
GDPR is all about protecting the right to privacy of non-employees, especially the data of consumers and individuals in firms that your company does business with. Given that GDPR had a two-year advance notice period and given the potential fines that can be levied as a result of non-compliance with GDPR, many companies have stepped up their game in the intervening period.
The spate of ransomware attacks in 2017 that included worm-like spreading capabilities (WannaCry, Petya, NotPetya) was well-publicized in Europe and also seems also have been a wake-up call. The British National Health Service (NHS) was nearly crippled for several days by WannaCry. The NHS subsequently performed a post-mortem and published a report that included a summary of changes and recommendations for preparedness and response. Maersk was severely affected by a NotPetya outbreak that reportedly affected their bottom line to the tune of “USD $200-$300 million.”
The combination of the looming GDPR date and the very real examples of the potential cost of a cyberattack seems to have gotten a lot of companies with immature security practices off the fence. While the desire to up their security capabilities is real, the struggle now seems to involve how to understand their existing capabilities, how to choose a realistic target and how to navigate the path between these two points.
These organizations often have a reasonable asset inventory to start with, but it is often in little more than spreadsheet form. They have pretty good processes for handling arriving and departing employees, but don’t really have a handle on service accounts.
Many companies that had no SOC are now embarking on getting one set up – and struggling with whether they can hire the talent necessary to run an in-house SOC or whether they should find a trusted partner to run it for them.
What is abundantly clear is that the sudden rise in demand for talent against a backdrop of relatively flat supply has created a hiring bottleneck in the path to establish a stronger security posture. When organizations conclude that they cannot hire and retain the necessary talent to run a SOC themselves, their talent gap simply becomes the partner’s problem. The managed security service providers (MSSPs) inherit the struggle to hire and retain talent as well.
So, how do we navigate this talent gap? There are two necessary approaches:
- Creatively think about how to expand the talent pool.
One of the most innovative ideas I have seen in the United States is occurring at the statewide Texas A&M University System. The team that runs information security has staffed its SOC with student interns.
Combining study in information security with real hands-on work in a SOC means graduates of the program already have real-world SOC experience when they graduate. And students can “try out” a cybersecurity career without having to commit to it. This allows students who might not otherwise think of a cybersecurity career to give it a try. And it turns out many students who didn’t think they would like such a career actually do.
- Make use of technologies which are a force-multiplier.
Newer security products that utilize machine learning (ML) can allow your security team to punch above its weight class. While every security vendor now claims to use some ML and aspires to artificial intelligence (AI), products by several ML-originated companies have been on the market for several years and have proven their worth. In some ways, if you’re way behind where you need to be, you have to take more aggressive (and sometimes uncomfortable) steps to catch up.
Overall, I am heartened by the changes of the last four years. While the quantity and sophistication of attacks have increased, everyone finally seems determined to put up a fight.
This blog originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.
