Since I began working at MSI several years ago I have been able to study the behaviors of organizations of various sizes in terms of information security.
Sort of a forced march through “infosec cyber-anthropology”.
One thing that has always surprised me is the number of comparatively large organizations – often ones with significant IT staffing in the form of networking, database and sysadmin staff – who do NOT have dedicated security staff.
This to me is a lot like expecting the postmen, utility crews, trash workers, and all the rest of the specialist priesthood that keeps our immediate environment working, to also pick up the slack and do police work on the side.
As in all bureaucracies, IT staff can be very turf-conscious. In some cases the hiring of dedicated security staff is clearly actively resisted by existing groups. Threatened sysadmins will claim that they can handle any security issues – often as long as they have the right tools. And that plays into the “magical thinking” that security product vendors are quite willing to cultivate in the minds of management: “Don’t hire people – buy my stuff! Burn enough money on my altar and the evil will be held at bay.”
I believe strongly this is the road to hell – or at least career death for executive management when the inevitable breach occurs.
Ask those Equifax execs.
Gardens need gardeners. Your information security environment will be an illusion if there are not people who truly care about it and feel a moral obligation to protect your organization and the information that customers entrust to you. That obligation includes questioning things as they supposedly are and not believing that what your SIEM says is necessarily the truth.
No “managed security services provider” is going to do this for you. Only loyal, engaged and actively concerned staff who have a clear sense of local mission can provide such care.
It is a level of care you would want for yourself and for your family.
Provide it to your customers.