ra2 studio - Fotolia
Dedicated security teams: The pros and cons of splitting focus areas
Could using dedicated security teams that focus on one area of risk help reduce the attack surface for enterprises? Expert Steven Weil looks at the pros and cons of that approach.
The attack surface for many organizations is steadily expanding, as they must now defend against attacks on their cloud applications, mobile devices and internet of things (IoT) devices, in addition to protecting their servers and traditional endpoints, like laptops and desktops. Organizations are trying to figure out how to best arrange their cybersecurity teams to deal with this myriad of risks.
One approach increasingly being considered is organizing the cybersecurity team into dedicated groups that focus on major risk areas, like cloud, mobile devices and IoT, for example. In this organizational model, the cybersecurity team is segmented. But what are the pros and cons of such an approach?
Benefits of dedicated security teams
An important benefit of using dedicated security teams is that it can lead to an organization having subject matter experts, with deep expertise in defending against specific threats and risks, such as attacks against cloud applications. The knowledge needed to secure a cloud application, for example, can be very different than what is needed to secure IoT devices. Specialized teams may be able to better defend specific risk areas than less specialized teams.
Another benefit of having dedicated security teams is that it can help cybersecurity teams handle the flood of information they receive about cybersecurity technologies, risks and threats. It's not uncommon for cybersecurity team members to have knowledge that's a mile wide and an inch deep. By organizing into teams of specialists, the cybersecurity team can better process and act on the information it's receiving.
Potential drawbacks of dedicated security teams
For many enterprises, organizing their cybersecurity team into dedicated risk area groups is not realistic because they can only afford a small cybersecurity team. Even for organizations with robust cybersecurity budgets, the hard reality is that, currently, there is a limited supply of people with the necessary skills to staff dedicated teams, and those people are in high demand.
A significant con to using dedicated security teams is that the teams can become silos that only focus on their particular area of risk; this can cause the overall significant cybersecurity risks to an organization to be improperly addressed. Plus, the cybersecurity team's time and money may be used inefficiently and ineffectively.
This fragmentation of the cybersecurity team can also lead to an organization's cybersecurity controls not being complementary -- for instance, if implemented mobile device controls do not work with cloud or IoT controls.
Another con to this dedicated security approach is that, as new areas of major risk appear (e.g., virtual reality), the enterprise will need to create more specialized teams, further dividing the cybersecurity team.
Recommended approach
Many cybersecurity best practices and principles -- such as least privilege, role-based access control, strong authentication and detailed logging -- can be applied across multiple current and future risk areas.
For many organizations, it is better to organize their cybersecurity team as a flexible, unified framework that, at a minimum, has the following four teams reporting to a CISO:
- Infrastructure security: Responsible for ensuring the security of the organization's technical infrastructure.
- Data security: Responsible for ensuring the security of the organization's data and applications.
- Security testing: Responsible for regularly testing an organization's security controls.
- Security architecture: Responsible for verifying that the appropriate security controls are in place to protect an organization's sensitive data and information systems.
Combined with regular risk assessment and data inventory (identification and documentation of how sensitive data flows in, through and out of an organization), the above framework will result in a coordinated approach to risk mitigation and complementary controls.
Many organizations can reduce their cybersecurity risk more by organizing their cybersecurity team with a flexible, unified approach, rather than creating dedicated security groups that focus on major risk areas. It's critical that your organization has a cybersecurity team that is performing the right tasks and properly protecting your organization.