Q&A: How certifying in-house IT staffers as cyber analysts, pen testers can boost SMB security

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land.

Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes.

Related: The ‘gamification’ of cybersecurity  training

Ransomware, business email compromises and direct ACH system hacks continue to morph and intensify. The exposure faced by SMBs is profound. Cyber intruders skilled at taking the quickest route to digitally exfiltrating the largest amount of cash prey on the weak. No small organization can afford to be lackadaisical.

More and more SMBs have begun dispatching their line IT staff to undergo training and get tested in order to earn basic cybersecurity certifications issued by the Computing Technology Industry Association, aka CompTIA, the non-profit trade association that empowers people to build successful tech careers.

Many companies are taking it a step further, selecting certain techies to also receive advanced training and pursue specialty CompTIA certifications in disciplines such as ethical hacking and penetration testing. Last Watchdog recently sat down with James Stanger, CompTIA’s Chief Technology Evangelist, to discuss how and why SMBs have finally come to see the light. Below are excerpts of our discussion edited for clarity and length:

LW: What are the drivers behind SMBs finally ‘getting’ security?

Stanger: It’s two things. First, companies are more reliant on digital systems than ever before. Frankly, a lot of companies got away with using analogue processes for years, and now they’re finally having to adopt the cloud and the Internet of Things. Secondly, businesses with 10 to 250 people generally have felt for a long time that they weren’t big enough to attack. That’s just not the case anymore. With ransomware, and other types of attacks common today, they are big enough to attack.

LW: Did compliance with privacy regulation factor in?


Stanger: Yes. If you’re a smaller company partnering with a larger company, you’re going to have to comply with their privacy mandates. What people don’t realize is that if you have your security controls in place, then you’re in a much better position to ensure privacy. Instead, it is still typical for companies to want to stampede over to keeping data private, without realizing that it really comes back down to adhering to some very fundamental security principles.

LW: How do CompTIA’s training programs and certifications come into play?

Stanger: We typically go in and talk to companies about guiding them down a whole cybersecurity pathway. So, for instance, we can walk through the benefits of sending, say a system administrator or help desk technician, through CompTIA CertMaster Learn, a self-paced eLearning platform that helps prepare them to earn the CompTIA Security+ certification.

Or in another instance a company might have an IT staffer who is in a position to undergo training to take the CompTIA Cybersecurity Analyst (CySA+) exam. And once this person gets certified, he or she can then bring behavioral analytics skill sets to the table to help detect and mitigate cyber threats. 

LW: What about pen testing? Is this something more SMBs are looking to bring in house?

Stanger: What we’re seeing is entire IT teams getting trained and certified in cybersecurity basics. Then, in many cases, there might be two people who are given more advanced training, one as a security analyst and the other as a pen tester, for which we issue the CompTIA PenTest+ certification. However, those two people won’t necessarily go on to serve as a full-time security analyst or pen tester.

Instead, getting trained and certified gives them a knowledge base to and contract out that expertise when their company needs it. From a cost perspective, smaller companies can’t afford to retain a full-time security analyst or pen tester. But they’ve got to be able to talk to the contractors about what ‘indicators of compromise’ means, otherwise everybody is going to be talking past each other. So even if you rent the manpower, you still need a conversant liaison to keep the contracted team focused on what best serves the company.

LW: How would you characterize the need that’s out there among SMBs?

Stanger: It’s huge. IT teams thus far have learned security through the school of hard knocks. And there’s no need diminish what they’ve learned. But frankly there is a huge need to comprehensively understand the tactics, techniques and procedures threat actors are using today to carry out highly effective attacks. And that’s why every IT worker should earn, at least, a CompTIA Security+ certification. Nowadays anyone working in IT needs at least that level of security knowledge.

LW: How will having certified pen testers more widely dispersed in small companies make things better?

Stanger: Companies used to consider themselves compliant because they had a contractor come in and do a pen test last quarter, or six months ago. But in today’s environment, it has become important not just to have a pen test done, but also to do something proactive with that knowledge.

It’s more than just a check the box kind of thing. You can take that knowledge and make decisions about certain procedures that should be changed or systems that should be updated. It has become a best practice for companies to retain a network monitoring service to look at anything above a certain threshold.

So then, the in-house staffer who holds a pen testing certification can review that data and talk it over with the monitoring team. They can then correlate results they’ve gotten from the last pen test and ask the monitoring team, ‘Are you monitoring for those kinds of attacks?’ Half the time the monitoring team isn’t doing that. So now they can start.

LW: This goes to the notion of baking in security in everyday practices, doesn’t it?

Stanger: Yes. It’s not enough to conduct pen tests and be satisfied with just pulling the records out to show auditors you’ve done it. It has become vital to actually review pen test results, and, when appropriate, conduct root cause analyses. Now you are proactively improving your defenses. And that’s where you start to bake in security.

(Editor’s note: LW has supplied consulting services to CompTIA.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: