Last updated at Wed, 06 Dec 2017 00:27:18 GMT

As more and more point solutions crowd into the security market, many companies are adopting a tools-first approach to security operations. And while tools are important, investing in technology before people can cause big problems.

Without the right people at the helm able to select and then use the tools, most security products end up in the security tool graveyard—unconfigured, unoptimized, unuseful.

In today’s cybersecurity climate, companies need to understand why a tools-first approach can be a dangerous one, and why investing in people first is the smarter approach. Let’s break down three key reasons why.

The CAPEX > OPEX Perspective is Outdated

Two major types of business expenses are capital expenditures (CAPEX) and operating expenses (OPEX). In talking with people in our industry, we’ve found that there’s a common preference for spending capital on tools (CAPEX) before spending it on employee salaries (OPEX).

Why? Asked to do more with less, CIOs, CTOs, and CSOs have invested in a CAPEX approach (tools) with the hopes that the tools can give them a jumpstart on security while continuing to provide value down the road.

Sometimes this can work out. But it’s easy to get trigger-happy, buying lots of products without hiring enough security analysts. After many of these tools are purchased, companies often realize they don’t have the staff or expertise to set up, manage, and derive value from them. Sound the sad trombone, because that can mean lost money and ineffective defenses.

Contrast that with an OPEX approach to security, in which security personnel are hired first. This way the experts are able to select, implement, and manage the tools they know are right for the job, guaranteeing that the company will see value from them.

There is No Replacement for Human Analysis

On a related note, it’s key to hire security personnel who can help you get the most out of your tools. Security tools do a lot of great things. But they still require some human analysis, which is something machines will not be able to do effectively for quite some time.

While tools provide the data to inform decisions, only humans can determine the best course of action and influence change.  Humans are able to question the data, run experiments, learn about weaknesses in the system, and implement better strategies and processes to make the organization even stronger.

When it comes to security instrumentation, whether it’s firewalls, antivirus, security  monitoring, or threat intelligence, there must be someone dedicated to managing the tools properly. Without the right talent, it doesn’t matter how great your tools are, because you won’t be able to get maximum value from them.

Security Talent Must Be Developed

If you’ve tried to hire for these sorts of roles recently, then you already know we’re facing a serious security talent shortage. In some cases, though, the talent we’re looking for is right under our noses.

If you’re feeling the crunch, here are two ways you can consider developing security talent:

  1. Train current employees. Employees already familiar with your company’s infrastructure, threat landscape, and business model can be perfect candidates to step into a security function. This could mean developers or IT staff, for example.

    Starting with security awareness training, begin identifying employees across the organization with an interest in security who, with a little more training under their belts, could be a good fit for the security organization.  You can kickstart this training using some of the tips from our posts on creating a culture of security ownership.

  2. Look to colleges with InfoSec majors. Many companies limit their talent scouting to veteran security pros. While it’s good to have experienced members on your team, there are also some big benefits to hiring junior security analysts right out of college. For example:

    1. They should have a good sense of the current threat landscape
    2. They should understand what a good security strategy looks like
    3. They will be moldable, able to adapt their schooling to your company’s unique environment and culture

What’s Next: Maximizing People and Technologies Together

Once you have the right security personnel and a few high-quality, hand-picked security tools, it’s time to optimize. One of the best ways to ensure that your security organization is functioning optimally is to employ security automation and orchestration. The goal of this is to connect tools together so that data can be shared and correlated, and to automate routine manual tasks so that humans can focus on strategic decisions.

With an orchestration layer for security processes, teams can leverage the power of machine-to-machine automation and use the brainpower of security experts to analyze and strategize, not manually fetch data.