A New Approach to Building Resilient IT Security

This is the third article in a four-part series based on Matthew Warner's cybersecurity manifesto, "The Industry Approach to IT and Cybersecurity Is Not Working." As CEO and Co-Founder of Blumira, Matt draws on more than two decades in cybersecurity to argue that throwing money and resources at the problem will never get us ahead of purpose-driven attackers. This series serves as a practical guide for IT leaders navigating the complex world of cybersecurity through operational resilience rather than an endless arms race.

A New Approach to Building Resilient IT Security

Now that we’ve examined the current state of cybersecurity from multiple angles, I’d like to leave you with some practical steps for making change. This article provides an overview of three major strategies, with links to a detailed implementation guide.

Cybersecurity as an industry has been focusing on the wrong thing – adding and tweaking technology for the broadest risk reduction. I believe we’re going to make more progress by focusing on outcomes and value. We need to change the mindset from “how can we stop the threat” to “how can we be successful in the face of a threat.” Organizations need to take responsibility for their own maturation, then leverage technology to get there. But let’s always keep in mind that security is achieved by understanding the people on both sides – the good and the bad – and that people are creatures of habit.

To a certain extent we have a problem that was created by the industry, and exacerbated by top-down management that doesn’t understand what we’re dealing with. I find it remarkable that the same executive who wouldn’t tolerate squishy facts in financial accounts would allow risky decisions in IT simply for the sake of convenience. Someone high up needs remote access? Sure, open up RDP to the internet and don’t ask any questions. The thing is, when you tell an IT security worker to set aside their ethical-risk controls “just this once,” it biases their future judgment – because maybe it doesn’t really matter.

In order to move forward, we need to talk about reducing risk rather than being “secure.” Remember, you will be attacked. The key is to arm yourself. IT security can never be a set-it-and-forget-it solution. And your team should also be getting a little better each day. A strategy of continual improvement will help your organization survive when an attacker has designs on bringing a halt to your operations so he can enrich himself with a hefty ransom. Let’s take a look at actions you can take that will help your organization weather whatever the future has in store.

Grow your own internal IT by investing in people

I have conversations weekly with 200-500 employee companies that have no more than ten people in IT. They have no security experience to speak of beyond basic training for tool management. They’re concerned, as is their leadership, that they’d be unable to respond decisively to a security threat. At the same time, these people are trusted to ensure that hundreds of employees are able to work and continue to generate revenue for the organization. It’s likely they’ve dedicated insane amounts of time to ensure this happens. I can guarantee those IT folks have gone through emergencies, crashes, and terribly stressful days just on the IT-side of the house – that’s experience you can use.

In organizations under 5,000 employees, IT should be focusing on ensuring there is operational growth in both IT and security. Tools that dampen the potential to develop valuable skills and areas of excellence through outsourcing can create issues. IT security is a skilled trade which requires experience. You may worry that training up your team will cause them to leave. Don’t kid yourself. Churn is just as real in the service provider world.

Now let’s look at how you can make sure to keep them.

Invest to retain your people

If you don’t invest in your people, you won’t be able to realize an actual reduction in risk.  It’s not just about training. They’ve got to be exposed to real-life, complex security experiences – this goes for the entire management team as well as IT managers and specialists. Much of this can be done with tabletop exercises that help identify potential risks and build intra-departmental communication networks. Folks in every part of the business should be asking themselves what their role will be if they have to deal with a similar situation in real life.

Taking IT and cybersecurity seriously and placing it in the context of the entire organization helps you retain staff and develop their opportunities to contribute. True, cybersecurity experience is often seen as a professional stepping stone – the grass always seems greener over there. Without early context and the right support, a valuable team member may decide to take the leap before they know what exactly they’re getting into. This perpetuates the cycle of burnout. When team members are involved in the big picture, working with modern tools, and partnering with capable MSP partners, their capabilities – and loyalty – will grow.

Use tools for where you are, not what the industry says you need

The hardest part can be determining what cybersecurity technologies actually do and what you’re going to get from them. It’s tempting to want to pass the risk off to outside services. That’s not how it works. The tools and services you deploy should have a direct relationship with organizational success and have clear value to your day-to-day life. Internal growth is good, and it can be achieved through hands-on experience with realistic tools that fit your organization. More common sense, less burnout. 

If you’re new to this, it can be confusing to understand the difference between Managed Detection and Response (MDR) and Extended Detection and Response (XDR). Then there’s SIEM, EDR, SOAR, and NGAV – it’s hard to know what’s really needed and what’s right for your organization. Suddenly you’re left with a bunch of questions: 

• Do I need an XDR with an EDR if I have an NGAV with an EDR but the telemetry is different?
• Wait, what is a SIEM even for? Is it that thing that just costs a lot?
• What does my MDR use for an EDR? Does that meet compliance? 
• What is MDR doing that my team can’t do with an XDR or SIEM?
• How are there so damn many acronyms in this industry?
• Should I quit and become a farmer, or at least do something outside?

A smart approach is to match solutions to your organization’s level of maturity, as outlined in the following chart. Maturity increases as higher levels of visibility are integrated into your operations. Automation doesn’t automatically make you mature, but as you add capabilities your tooling increases speed, efficiency, and impact. Of course, the whole point of a maturity strategy is having a plan for the next level – that means annual evaluations to determine the best growth path for your organization.

A quality SIEM (Security Information and Event Management solution) soon becomes a vital tool because it allows you to look at data holistically and in context. When you’re actively reviewing security logs and leveraging data fully, you have a clear picture of what normal looks like so you know where to direct security efforts.

Time to take action

It is not 1994, nor is it 2004 or 2014. We’re deep into the globalized-ransomware era and it has no signs of stopping. Organizations in the midst of identifying “what to do next” ask if the tooling they’re currently using is really moving them forward. We can’t change the danger that’s part of our world on a daily basis. But we can control how it impacts us. If you take the approach of building operational excellence from the top down with IT security excellence in mind, you’ll gain in agility. This allows you and your organization to excel from the bottom up by adding experiential capabilities that otherwise reside with external services.

I’d never advise that you quickly pivot to complex technology in the hope that you’ll be able to fully leverage it without significant investment in people. Instead, find the technology that’s right for you that can be integrated into your day-to-day activities. Then review it regularly. If it turns out you have to put in significant effort to derive value from a tool, consider what you’re really getting for it in the stack.

If the answer is yes for more than two of these, it may be worth keeping that tool in place – maybe expanding usage into other areas if it’s got the flexibility. If you’re not able to identify positive reasons – just a “feeling” of security – you’ve got to check in with your team to find out if the commitment is worth it.

One strategy we often encounter is a blind adherence to compliance guidance that’s not tied to the needs and readiness of the organization. This can result, for example, in the implementation of a large brand-name NGAV when an EDR+SIEM product would have detected the same threats just as well. The more affordable product would also provide additional insight into all other technologies. My advice is, invest in your agnostic technologies first – those interoperable with many systems and not locked into one vendor's ecosystem – then layer in other tools based on what’s best for your organization and your team.

Purpose-driven attackers won’t stop as long as they have targets. (Spoiler alert: There will always be targets). We can only do our best by having vigilant visibility that will identify and stop them when they land on our doorstep. IT security can’t just be for enterprise organizations that can afford big contracts and bigger teams. We need to support every type and size of organization – because we’re all at risk. At Blumira, we believe we can do better by taking a step back, building skills and resilience, and working together on common defense.

Matthew Warner, CEO and Co-Founder of Blumira, started writing what he calls his ‘manifesto’ in 2023. More than two decades in cybersecurity had convinced him that the money and human resources being thrown at the problem were never going to get ahead of purpose-driven attackers. Matt called his manifesto “Our Approach to IT and Cybersecurity Is Not Working,” and it forms the basis of Blumira’s approach to protecting organizations through operational resilience and experiential growth.

Now, we’re sharing Matt’s thinking in a four-part series that can be used as a guide for IT leaders and decision makers navigating the complex world of cybersecurity. Read about Matt’s unique take on:

• The history and current state of cybercrime, cybersecurity, and defensive tools.
• Leadership challenges in assessing modern threats and evaluating evolving technologies.
• Understanding the human element and psychological impacts of desensitization, normalization, and constant fear.
• The benefits of shifting strategies from threat-centric to operational excellence.
• Selecting cybersecurity tools based on organizational maturity and internal capabilities.
• Actionable implementation steps, training recommendations, and a tool evaluation framework.

Join the conversation – if you’re an IT or cybersecurity professional, let us know your thoughts!