In a perfect world, every organization would have a dedicated team of IT security experts whose sole mission was to enforce security best practices and address vulnerabilities across all layers of the organization. These people would spend their days making sure the code developers write is as secure as possible, checking and double-checking access control configurations, scanning container images for the least sign of trouble, and keeping the DDoS botnets at bay.
In the real world, of course, the vast majority of companies can only dream of this type of security operation. Many organizations don’t have a dedicated IT security team at all. And even if they do (which is usually only the case at larger companies), the security team is typically too small to be able to handle every aspect of security across the entire organization.
That’s why it’s time to admit to ourselves that the idea of a dedicated security team with infinite resources and skills is a fiction — and, consequently, to adapt to a world in which every employee needs to play a role in security.
The myth of the IT security team
Many conversations about IT security, or recommendations for security best practices, assume that every organization has a security team to oversee its security operations. Indeed, even the DevSecOps mantra presumes that “Security” is a distinct and extant entity within most organizations, and that the only thing we need to do to improve security today is to make the security team work more closely with developers and IT Ops.
It’s easy to understand why we cling to this idea. It’s comforting to imagine that every organization has a large team of security experts on hand. This idea takes some of the pressure off of developers, IT Ops and other employees to keep workloads secure.
But the reality is that dedicated security professionals are few and far between at most organizations, if they exist at all. According to a report from Carnegie Mellon’s Software Engineering Institute, there are only between 3 and 6 IT security employees for every 100 IT staff. That suggests that many smaller companies (which have total IT teams of well below 100 people) don’t have security professionals at all. The same report says that there is typically one security professional for every 5,000 devices within an organization — another figure that suggests that security teams are much smaller and less pervasive than people tend to imagine.
You may be thinking: “Well, there are always MSSPs.” True, some organizations outsource their security operations to Managed Security Service Providers, or MSSPs, an increasingly popular trend. Having an MSSP is better than having no professional security help at all. But it’s not the same as having a dedicated, in-house IT security team. The services provided by MSSPs are typically limited and tend to be restricted to things like monitoring and patching; MSSPs don’t usually do things like work closely with developers to design applications securely.
The bottom line: Dedicated IT security teams are less common than many people seem to think, and if they exist at all within an organization, they are usually quite small relative to other IT staff.
Everyone is the security team
This begs the question: What do companies need to do to stay secure without the help of a dedicated security team?
The first step is simply admitting the problem. Instead of assuming that someone else — a “security professional” — will always be around to vet your code, check your access-control policies and monitor your applications. IT staff whose job descriptions don’t officially include security must realize that security is, in fact, one of their responsibilities, even if no one tells them that.
This means that in organizations today, everyone (or at least everyone who touches an IT system in one way or another) is the security team.
It may sound like I’m merely preaching DevSecOps. But as noted above, DevSecOps is founded on the assumption that there is a dedicated security team at your organization, and that if it would just collaborate better with your developers and IT Ops engineers, you’d be much more secure.
The reality, again, is that the security team either doesn’t exist at all, or has many fewer resources than it needs to do its job completely.
Automating security processes is another critical step for surviving in a world without real security teams. You can’t expect your IT staff to do their regular jobs while also overseeing security operations if the security work is time-consuming and manual. Instead, you need to empower them with tools that automate not just security scanning, but all parts of the SecOps process — from vulnerability scanning and firewall configurations to access-control compliance and runtime security.
Someday, the world might finally take IT security seriously enough to dedicate more than 3-11 percent of the total IT budget to it. (That figure is another finding from the Carnegie Mellon report mentioned above.) If that happens, every organization will finally have the security team it dreams of.
But in the world we currently occupy, we need to come to terms with the reality that there is no dedicated security team at many organizations — or that the team has many fewer resources than it needs. As a result, everyone needs to become the security team.