Building Secure Security Teams

Posted on by Prudence Smith

We can safely say that cybercrime is less risky than any other crime, making it a very appealing target, with the ability to destroy a firm through regulation, fraud or cyberattack. Cybercrime figures vary wildly, but the numbers are always huge, often in the trillions. So why is so much lost to cybercrime, why is it so appealing and, despite the focus on cybersecurity as a risk issue and as a career, why do cybercrime figures continue to rise unabated?

When I first entered the industry back in the early 90s, security was small, very male and inward-looking. It took a long time for anyone to be trusted and accepted; the adoption of security was problematic, with security being someone else’s problem; security was an afterthought; and it didn’t help that the financial cost of cybercrime was difficult to understand. Then, from 2015 on, ‘cyber’ suddenly became the buzzword, the Board and businesses understood the risk, funding was at its peak, the FBI released their first estimates of the annual cost of cybercrime, masters degrees popped up all over the world with differing levels of effectiveness and the industry opened up. Despite all of this, nothing changed: the estimated annual cost of cybercrime continues to rise; email remains the number one method to commit fraud, steal data or infect systems; people are still clicking on links; employees have too much access to data and systems; systems remain unpatched and poorly configured.

While we are fixing our technology and data access issues, we must not forget about the importance of awareness to anyone who has access to our sensitive data. Technology is not and cannot be the only answer, and because humans have been ignored for so long, criminals know humans target them specifically, made all the easier due to social media and the want to help and get things done. Show employees exactly what can happen when a certain action is taken so they understand why actions should not be undertaken. Make sure employees know what to do if they have a security incident and what a security incident looks like, so from day one, all employees are protected. If we are proactive; secure our processes, data and systems; and deal with security incidents swiftly, the overall impact of a cyberattack can be significantly reduced.

Cybercriminals are good at what they do. They have the time and commitment to be successful due to cybercrime’s lucrative nature and low risk. They will look at everyone within a firm to get in and will fully understand the processes undertaken and the technology used. Once they are comfortable, they perform the attack, and that attack can come in many forms—from a phishing attack on an unknowing employee to the onboarding of a new vendor or malicious code waiting quietly to activate on a system.

Depending on the size of the firm, the complexity of your technology and the amount your firm is losing to fraud and cybercrime, an attack will determine if you need a dedicated team/individual. If you do need to invest, what is important is that in order to thwart fraud and cybercrime, you need people who understand it, can relate to it, can implement technology and procedures correctly, knows what to do in an incident to stop it causing any or further damage and can remediate any technology gaps. Because cyber has been ignored as a career until relatively recently, talent is to be found in areas outside of the usual recruitment processes of advertising and hiring. Talent to defend cyberattack ranges from hardened techies right up to marketing personnel. The most successful teams I have known have the core values of collaboration, transparency, diversity and the want to do the right thing. If your security team doesn’t have these attributes, then you probably have other gaps too. 

Prudence Smith

Cyber and Information Security Risk Consultant,

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs