Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?
The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help.
The Human Factor
Everyone at a company effects, for good and bad, the security of the company for which they work. Clicking on phishing emails. Posting a file to a public Dropbox so you can work from home. Coding in that backdoor to make debugging an application easier. Putting convenience above security. These are just a few examples of how anyone can adversely affect the overall security of a company.
The worst part is that many times the person is not trying to be malicious. Their intentions can be good, but their lack of focus could breed horrible consequences.
On Security Champions and Why We Need Them
What if, as the security team, you could have people throughout your organization that positively affect the overall security? We’ll call them security champions. (Full disclosure: I stole the security champions term from somewhere but do not remember where.)
Security champions (my definition) are non-security professionals that promote and practice good security. These people help educate others to identify phishing emails. They do not belittle others for asking what might be considered simple security questions. They bake security into their development process and try to get others to do so. They think about security versus convenience. All without the security team having to tell them to do so.
Think of the time this could save you, a member of the security team. Heck, just a few less clicks on phishing emails would be worth it. Wouldn’t it be great to have your business partners, even just a couple, bring up security-related issues without prompting? How about having developers push for good secure coding practices without you having to beg them?
Yes, you will probably end up with a few security champions that actually create more work for you. But in the end, the more people you have thinking about, practicing and implementing good security, the more time you will save the security team. Not to mention the resources that might be willing and maybe even eager to help when you have questions or are looking into a possible event.
Security champions are not meant to replace security engineers, or whatever title you use, but to augment them.
Best Practices for Cultivating Security Champions
How, you ask? Well, that depends on your organization.
Start small with the people you work with every day. Find out which of them have a security mindset and cultivate that. Send them articles that they might find interesting and see if they take the bait and run with it. If they do, make sure they and their management know the value they are providing. Leverage your existing security awareness and education program. Present security topics. Presenting what a firewall does might motivate some, but I am guessing those are rare.
How about demonstrating how the last penetration tester you had (You are having regular penetration tests, correct?) got your crown jewels? How about something as simple as getting a Meterpreter shell on a box and showing what can be done, like taking control of the camera and installing key loggers. Keep it simple and light but accurate. Keep in mind, not everyone has your level of knowledge.
Some things you consider simple are things that can make a big impact on people. Think even smaller, visiting with people one-on-one as time and events present themselves. Last note, there is no better time than an incident debrief to educate users one-on-one or in a group.
The point is to get people’s attention. Show them why security is important. Show how easy it really can be for malicious actors to reign havoc in your environment. Show how they can have a direct impact in helping to prevent that. A few people will take it to heart and develop a security mindsight.
Many people in information security are problem solvers. Approach it that way. Demonstrate to them how a malicious actor could easily attack your AD / Kerberos infrastructure. (Kerberoasting, anyone?) See how many ask what can be done to mitigate it. Instead of answering, ask them what they would do, what they can think of. Make it a problem for them to solve. Just keep your audience in mind. What will entice one audience, say demonstrating the intricacies of Kerberoasting to your server administrators, will be lost on business partners.
This will take work. It is not a one and done. You will have to be an evangelist. Like most things, it requires careful care and feeding. Overdoing it can backfire. People will tune out. Put thought not only to your message but also to the audience. In the end, the time savings not to mention the more intangibles are well worth it.