Let your security maturity be your guide

Security leaders should evaluate your organizations' security maturity

· 3 MIN READ · JONATHAN WALDROP · JAN 18, 2024 · TAGS: Tech tools / Threat hunting

Effective security leaders are always looking beyond their teams’ day-to-day challenges and operations to find the next logical stage in their evolution. The best leaders are the ones that can prioritize and execute. They know the areas that need the most attention, evaluate their options, address them, and move to the next priority. I’ve worked in many organizations and managed different types of security programs, and seen how those organizations who run before they can walk can end up hampering their long-term security goals.

You can evaluate the maturity of your security program in multiple ways. No matter how you slice maturity, the base level is getting people, processes, and solutions in place for prevention, detection, and response. That’s the foundation on which everything else in the security program is built. Without those elements, you don’t have a basic, functioning security operation.

Once those elements are in place, you’ve got sort of a “choose your own adventure” scenario ahead of you to mature your security. There are different areas you can invest in, like governance, risk, and compliance (GRC—which I’d argue is important to invest in early), data protection, risk modeling, and security frameworks, to name a few. You need to look at each of these potential areas through the context of your organization. For example, if you’re in a highly regulated industry, investing in GRC is very important. It all depends on your specific risk profile, the goals of your organization, and other factors specific to your context.

You can also look at your security maturity through the lens of the capabilities of your team members, and whether they can fulfill the roles you need both today and tomorrow. For example, you don’t simply add more threat detection and response solutions to your tech stack; you need to hire analysts who can establish processes and address alerts to make the best use of the technology. Alternatively, you can also bring on a managed detection and response (MDR) vendor that will help you up-level your game in that space (which is what we did when we brought Expel on board). Whether you staff the team internally or bring in a provider, you have to ensure those people are firing on all cylinders before adding more capabilities. Pro tip: even if you’re bringing in an outside provider, you should take steps to ensure that the partner helps support and educate your team, in addition to executing day-in and day-out.

These are all considerations that I and the rest of Insight Global’s security leadership made when we considered adding threat hunting to our repertoire of security capabilities. For us, it was largely a question of security maturity. When I first joined Insight Global, we weren’t in a position to add a capability like threat hunting to our toolbelt. I knew we needed to grow the team, and add critical and specific disciplines to our security program before we could look at adding other elements. Eventually we reached the point where we had a handle on foundational coverage and process maturity, so it was time to take the next step.

We also had to consider the need. We weren’t about to add threat hunting to the toolbelt because we’d run out of things to do—in fact, we were busier than ever. As Insight Global had grown, so too had the cyber risks to the business. Our threat profile and landscape had scaled right along our own growth. So there was absolutely a need for a threat hunting capability to dive deeply into our environment and identify gaps and weak points. And like the MDR example above, we had to evaluate whether this need required a full-time employee or if we could lean on an outside provider.

In our case, we’re not big enough to need a full-time threat hunter so we partnered with a vendor (again, it was Expel). We chose them because their hunts match up with our existing tech and they already have threat hunting expertise in-house. It gives us added peace of mind and a deeper look into our environment. Even when the hunts don’t turn up anything concerning, they still deliver valuable insights into gaps and potential problem areas. And we didn’t add the responsibility to a member of our current team as we didn’t want to overwhelm them or for threat hunting to take away from the valuable work they’re already doing. At the end of the day, threat hunting helps us be more proactive in our security operations. We’re not waiting for something bad to happen to address it, but rather getting out in front of potential issues before they turn into something real.

I agree with the saying, “security is a team sport.” It’s our job as coaches of those teams to know what our players and equipment are capable of, and where we might need to bring in free agents and different gear to get the job done.