Too Few Security Pros, Too Many DDoS Attacks: What’s a Company to Do?

By John Stoker, CISSP, Sales Engineering Manager at TierPoint

Once upon a time, IT security was all about perimeter defense: just keep the bad actors out, and you’ll be fine.

But if that’s your approach to security today, you’re living in a fairy tale.

SNMP-DDoS-Attack-ToolThere’s no better example of this than the modern Denial-of-Service (DoS) attack. A DoS attack is that of a single source attacking a specific destination in an effort to disrupt resources of the target host. A Distributed Denial-of-Service (DDoS) attack, which is more damaging, refers to attacks from multiple sources against a specific destination.

These kinds of attacks are proliferating in frequency and sophistication.

Unfortunately, these assaults against modern business aren’t happening in a vacuum. Another current trend, the scarcity of IT security professionals, is worsening this problem.

In 2015, organizations are struggling with where security fits into their priorities.

The marketplace can be unforgiving, and most businesses can’t afford to draw too many resources away from production and service delivery. Combined with an enduring, if inaccurate, mindset that perimeter defense is enough, many organizations find themselves constantly risking serious security problems.

Indeed, DDoS assaults have successfully taken down even massive enterprises like Microsoft, Sony, Vimeo, Feedly, Basecamp and more.

Smaller companies face the same risks. One of TierPoint’s own customers, an ecommerce retailer, was targeted by a single disgruntled customer who orchestrated a DDoS attack against them.

We successfully remediated that attack, but dealing with these assaults can be a real trial for many companies attempting to handle it on their own. A report from security vendor Trend Micro says:

“Organization-wide understanding and commitment to carrying out a strategic security plan is necessary. Otherwise, they may resort to highly impractical measures such as reverting to manual processing, as in P.F. Chang’s case or, worse, to go out of business, as in CodeSpaces’s case.”

In other words, security must be deemed high priority throughout an organization.

That recognition of the need for ‘organization-wide’ strategy has given rise to the CISO.

Bill Hargenrader, cybersecurity manager and senior lead technologist at consulting firm Booz Allen Hamilton, says:

“As the general public hears more about hacking, privileged access violations, and data breaches, there is growing pressure to mitigate the dangers that are present. The media is quick to pounce on these breaches (for good reason), [so] there is a greater shift towards cybersecurity to address the risk profile for an organization.”

Two years ago, organizational security centered around policies and procedures. Today, you have to have a hacker mindset and an ability to understand pervasive, multi-vector, polymorphic attacks. This, in turn, has given rise to an increasingly common but new C-suite position: the Chief Information Security Officer (CISO).

Why? Just follow the dollars:

According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the existence of a CISO (or similar executive), who leads the incident response team, quantifiable reduces the per capita cost of attacks. For example, a CISO lowers the per capita cost of a data breach by an average of $10 (the total average cost being $201 in 2014).

But CISO’s and other security staff are hard to find and even harder to keep.

Cyber security jobs grew 74% from 2007 to 2013. That’s more than twice the growth rate of all IT jobs, according to Boston-based labor analytic firm Burning Glass.

“It’s probably 10- to 12-times harder to find cyber security professionals than it is to find general IT professionals,” says Rashesh Jethi, a director in the services group at Cisco – which last year put the global number of unfilled cyber security jobs at about 1 million.

That scarcity makes security even more expensive than it would otherwise be. The average increase in salaries for IT security professionals significantly outpaced the average baseline increase for IT (5.7% in 2015):

  • Chief Security Officer: up 7.1% in 2015 from 2014
  • Data Security Analyst: up 7.4%
  • Systems Security Administrator: up 6%
  • Network Security Engineer: up 6.7%
  • Information Systems Security Manager: up 6.6%

Given that these were all six-figure positions to start, these increases add up to serious dollars.

Then, if it weren’t bad enough finding these security pros, try keeping them. Senior security executives stay just 2.5 years, on average, according to the Ponemon Institute.

What’s an organization to do?

Companies have to balance security needs with costs. That’s why they turn to solutions like renting the same equipment on a multi-tenant appliance inside the cloud instead of paying for security appliances in their own data centers. In other words, they outsource.

But the final answer isn’t quite that simple. I recommend that businesses complete a Business Impact Analysis: “The question every business needs to answer is, if you get attacked tonight and your website goes offline, what is the fallout to your business going to be? Revenue loss? Customer attrition? Falling brand value?”

Only when you understand the cost of an attack can an organization begin to assemble an organization-wide, holistic risk management plan. That’s where TierPoint can help. TierPoint CleanIP Managed Security Services can fill the gaps in your IT Security Staff for a fraction of the cost of hiring a full-time security employee.