Becoming your own security advocate

Plenty has been written about the lack of skilled security specialists and how it will be exacerbated by things like machine learning (ML) and generative AI (GenAI). Even large enterprises are turning to partners who can provide bespoke security services to fill gaps they can’t fill themselves. For smaller and mid-size companies, the situation might seem daunting.

The cybersecurity skills gap is not going away, however, nor is the need for robust security. If you leave your office door unlocked after everyone’s gone home for the day, you risk a robbery. If you leave your digital doors unlocked at any time, you risk much graver consequences. Many organizations cannot survive a well-orchestrated cyberattack.

But you’re not a security expert, so what do you do? Turn to a trusted partner, right? Well, actually, that’s not the first step. That partner or group of partners is certainly your solution, but not before you become your own security advocate.

Let me provide an analogy. A friend recently went through a significant health crisis. Once she learned of her condition, her next move wasn’t to ask her doctor, “ok, so when do you begin treatment?” Instead, she wanted to know what was possible and practical so she could decide what was right for her. She consulted many experts and got a wide variety of opinions and recommendations as a result. She joined online groups and sorted through hundreds of posts to find and understand the treatment journeys of those with similar diagnoses. Ultimately, she decided on a course of treatment that her doctor understood but could not provide. She would need to augment her network.

To her credit, she’d already been networking with the various specialists she’d been consulting, and ultimately, she underwent treatment with an augmented team. She managed her treatment with intention and discipline, and she achieved a cure.

Is IT any different? There is no “one-size-fits-all” solution for cybersecurity. Had my friend followed her initial doctor’s advice, her treatment might not have been successful in the long term. It was no reflection on the doctor; he couldn’t provide the treatment she wanted. Her doctor provided the treatments that “worked for most everyone.”

What my friend did was become her own healthcare advocate. She didn’t learn how to cure her condition, but she did learn exactly what her condition was, what could be done, and the outcomes each could provide.  In short, she figured out what would work for her.

But this doesn’t answer the question, “How do you become your own security advocate?”  Yes, you should consult with a trusted partner, especially one who has a history with you and some understanding of your organization. But since you’re asking security questions, you’re already in a position that indicates you have questions. You’ve already done the work to understand your company’s needs and risks, and you likely need more than just the advice of one trusted source.

Here’s an outline which might be useful to you:

1. Identify your top issues. Ask yourself what’s most critical and what will impact the business the most.
2. Start small – what are the top three issues you need to address first?
3. Who do you think can help you address these issues?
4. Think about the necessary timeframe, resources, and budget. What will it take to fix those top three issues?

OK – but that’s just a list, and you may – or may not – be able to address any of them. Which is why you will need to leverage both partners and available tools. You can’t address what you can’t identify, and a strategy without a plan won’t get your desired results.

Partners

You already have a trusted partner. Now, you need to understand what that partner can and can’t do. It’s not a reflection on the partner, it’s an acknowledgment that security is complicated, and you need to be your own advocate. You don’t want to put a trusted IT partner in the position of trying to learn a new discipline, toolset, or product with you as the test subject. Not only will results vary, but you could destroy an otherwise excellent relationship.

So, does your partner have a security practice? Ask to speak with the security team. Be honest in your conversations; you’re looking to find out where and how your business might be exposed to online threats. Remember, threats can come from every source that isn’t hard-wired to your infrastructure (and if infected, even from a directly connected device). Speak to a couple of your partner’s references – how comprehensive is their security practice?

You may find that your IT partner has a great infrastructure security service but doesn’t look at incoming threats from emails or online applications or doesn’t look at email or employee security awareness training. One-third of your employees are likely to click on a suspicious email, so don’t underestimate the importance of this training. 

Also, what does your partner offer for remediation services? Don’t assume you can protect yourself 100%—you can’t. Somewhere, somehow, an attack will get through. What services are provided to identify these threats and either stop them before they cause damage or remediate any damage they’ve caused?

Based on the feedback from your primary partner – your trusted IT partner – it may be time to look for a specialist. Many Managed Security Service Providers (MSSPs) do not provide other IT services. Likewise, many Managed Service Providers (MSPs) that offer ongoing IT services and support do not have a security practice. Even large companies turn to extended detection and response (XDR) providers who can stand up a managed security operations center (SOC) for them.  This may be a solution for you, too.

So, who do you turn to for security? A trusted partner, an MSSP, or a managed XDR service?  There’s no single answer except it depends on geography and customer “fit.” Your size and your industry are significant factors when it comes to security providers, and you want someone who provides services to customers like you.

Some partners will offer you a paid-for security assessment – this is worth pursuing, but only if that partner can also provide and support the remediations you need based on the assessment results or if you already have a budget for outside consulting services beyond your routine operations.

Also, talk to your peers. First, whatever industry you’re in, you have counterparts at other companies who may be willing (and happy) to speak directly with you about security challenges. Everybody likes sharing war stories. Have they been attacked? How did they respond? What did they do, what did they find, and how did they address it? Who is their favorite IT partner, and why?

Then, talk to these partners. You’re likely not looking to replace your current IT partner, but you may very well find you need a secondary partner to focus on these security concerns. It is not unusual for organizations to rely on different partners for different things. The key is ensuring you have defined “swim lanes” and assigned them accordingly. You want each partner to know what everybody else is doing.

Tools

Some of the best things in today’s market are free vulnerability and assessment tools. Be aware that the independent software vendors (ISVs) who create these tools want you to purchase their solutions, and they were designed with that in mind. Still, most of these tools are free and informative, and you’re not obligated to buy from that vendor after you’ve run the scan.

At Barracuda, our assessments and tools – even things like our “configure and price” that require contact information – provide real, tangible, and actionable results. We provide many different scanners and assessment tools because security IS complicated. When we run an email scan, we will identify latent threats in your inboxes and tell you how to remediate them. Other tools may say, “We have identified problems – CALL US,” but you’re under no obligation to call them, and some can be a good “second opinion” as to your threat status.0

Tools will also help you identify your biggest threats and vulnerabilities. You probably don’t have the resources to fix them all at once, so use these solutions to help you identify what you should fix today and what you may want to fix tomorrow.

Also, remember security is not static. If anything, security is the most dynamic aspect of today’s IT landscape, and artificial intelligence (AI) accelerates the security landscape even further. Bad actors are already using GenAI, ML, and other AI-powered technologies to create bolder and more innovative threats. ISV solution providers are using similar technologies to find and defend against new and more sophisticated attacks. Partners are leveraging GenAI to respond faster and more accurately to queries, issues, and ongoing deployments and support.  GenAI technologies like ChatGPT and other large language models (LLMs) have created a sword of Damocles over the connected world. These technologies came about because they ingested the public internet rather than learning from carefully curated training sets. 

Because AI now relies on a large and continually evolving learning set (i.e., the internet), you should run scanners or vulnerability assessment tools on a periodic basis. Some solutions will automatically scan applications already under that vendor’s protection. These scans are usually run against new vulnerabilities and automatically fix them. Barracuda Application Protection features an advanced vulnerability scanner that will constantly monitor your entire deployment for vulnerabilities.  When it finds vulnerabilities – even in apps that are still in development – it can remediate them automatically or with a single click. Solutions like managed XDR take it one step further, perform broad scanning, and do the remediation for you. But the bottom line is that security isn’t a one-and-done kind of solution. It needs to be proactive and ongoing.

You may also find that one of the ISV tools or scans you perform makes that ISV’s solution look attractive.  Your preferred IT partner may or may not support this solution. Many partners are willing to support anything their customers ask for, but they usually come to the table with expertise on a particular set of solutions or tools.

If your partner doesn’t support the ISV solution that fits your needs, you might want to contact the peer group you leveraged to find out about preferred partners. What tools and solutions do they use and prefer? What do they know about the solution you’re considering? 

Most solutions are now available through hyperscaler Marketplaces. Public cloud providers like Microsoft Azure, AWS, and Google Cloud Platform all have some kind of review or rating tab associated with their marketplace solutions. Check these reviews to see who’s said what and when about a particular solution. And approach this like you approach any online purchase – 4 or 5 stars is only a guideline; you need to read the reviews. How many 4-star products have you researched only to find that people gave it 4 stars only because they didn’t like a particular feature about which you don’t care?  And sometimes, a 5-star rating is based on only a single reviewer. Did you know that for each 1-star review, it takes to balance out that one negative one? So read a few of the reviews.

What do you do next?

It takes work to become your own advocate, but the effort will pay off. If you don’t know what you want to do and how you want to get there, you’ll get nowhere. Every customer and partner I’ve ever talked with has gone on this journey at some point – it’s how they became the partner or security advisor they are today. Start small, but do start. Two of my favorite partners (we can’t name names) have told me that every one of their assessments has shown things neither they nor the customer knew about that customer’s security.

It's not an arms race—it’s today’s IT landscape. At Barracuda, we proudly offer a straightforward, cost-conscious cybersecurity platform delivered by trusted partners to protect customers for life at all aspects of their journeys. However, we started out as an email spam filtering company. We did what you’re going to do—we became our own security advocates.

Learn more about us and our comprehensive cybersecurity platform at www.barracuda.com.