“We need more people” is a constant refrain in cybersecurity (just as it is in other global sectors like healthcare and transportation). But the supply-side characterization misses the mark on the industry’s primary challenge—figuring out how to design security products that work with minimal human participation.
In order to understand the big picture, it’s important to ask: Why do security teams need so many people in the first place? One important reason resides squarely on the demand side. Most cybersecurity products rely heavily on people to make them work and iron out any misfires or false positives. Most need constant babysitting after being deployed into a client’s infrastructure.
There’s also an inherent concern across security disciplines about the resourcefulness and evolving skill sets of hackers like those behind Sony, the 2016 election hacks, SolarWinds, the recent Microsoft Exchange Hafnium hack, and others. Big hacks like these lead many security pros to believe that they perpetually require an all-hands-on-deck approach, both from an enterprise security practitioner and product standpoint.
This multifaceted dynamic is actually as much (if not more) of a product design issue as a human capital one. So, why are we still treating it as solely a talent challenge? In order to right the ship, we need to unify around security products that are intentional about keeping overhead low. We should keep these three design principles in mind:
#1: Bring the end-user into the fold
Arming users with simple workflows can decentralize a solution’s operational load, while reinforcing shared accountability between administrators and end-users. And taking that approach can be more effective for both parties—especially if end-users have more business context than a centralized security team does.
In practice, modern multi-factor authentication (MFA) products—employed by companies to add an additional verification step that ensures people logging into platforms actually belong there—are one of the best examples of striking this balance. For an end-user, rejecting an MFA challenge is a simple action that allows people to participate in their own security. Companies that offer these products, including Duo, Okta, and Yubico, do a great job of packaging MFA workflows into an end-user experience that is easy on users and security teams—while spreading the accountability among them.
This model can, and should, be applied across suites of security products.
#2: Alerts should be more meaningful, not more frequent
Getting security alerting right is hard, but that doesn’t mean products can abdicate responsibility for delivering meaningful and/or context-rich information to end-users. For many of us in the business, it can seem like responding to alerts takes up a significant portion of our days and drains our overall productivity (and life force). A big reason why this persists globally: the importance of a given security event is highly subjective and depends on several factors specific to an organization and/or end-user. Further, unlike notifications in other products, the cost of being wrong or under-alerting even once can prove fatal.
The cybersecurity industry’s legacy obsession with not missing a single thing tragically creates massive inefficiencies and disrupts workflows. But that doesn’t have to be our reality for much longer. In fact, thoughtfully designed, low overhead security products can combat this problem with a one-two punch today.
First, they need to be designed with thoughtful out-of-the-box settings that prioritize delivering a high ratio of useful alerts, versus trying to catch every single event. Second, they need to be designed to allow alert thresholds to match an organization’s risk appetite and security talent bandwidth. For a contemporary example, look at Thinkst Canary’s tool, which constantly monitors for attackers autonomously and issues a single, context-packed alert when a breach is detected.
#3: Recycle your best design ideas
Today’s best security products minimize the amount of information that needs to be configured or defined, opting for integrations instead. Even when integration with other tools or workflows is impossible, borrowing existing concepts, data models, or patterns can reduce a product’s onr-amp time and operational overhead. It can also lead to the development of products that are faster to set up, automatically adapt to changes in an organization, and help ensure that everyone with access uses the right data to make business decisions—while resisting becoming another operational burden.
For example, Fleetsmith, the Mac device-management product recently acquired by Apple, treats a company’s Google or O365 account as the source of truth for their list of users—versus deciding to build an employee directory from scratch. It’s a simple choice that saves Fleetsmith’s administrators a lot of time because it eliminates the need to manually update and sync two (seemingly unrelated) systems. Across the board, tapping familiar security design concepts, patterns, and even terminology can prove crucial to building simple, bulletproof products.
Don’t throw bodies at the problem
Solving cybersecurity’s talent supply shortage can’t happen overnight. Frankly, it can’t happen at all until our industry collectively shifts how we think about the way products are designed, built, and innovated. On the demand side, attempting to address security issues with tools that require constant babysitting or scores of people to keep them running will never scale.
In practice, we need to inspire product builders and buyers to become obsessed with minimizing overhead as an explicit design objective, not an afterthought. The companies I’ve singled out above deliver low-overhead, high-quality products designed with security and productivity at their core today. But the entire industry needs to embrace these design principles in order to make meaningful progress in closing talent gaps and delivering superior products to the market tomorrow.
Abhishek Agrawal is the co-founder and CTO at Material Security.
