Why You Should Empower End Users to Triage Security Issues

The last time you went to the doctor, did you pay attention to the process the doctor’s office used? You probably didn’t feel well, so you scheduled an appointment. When you arrived, the nurse called you in to get your vitals. Then, perhaps they sent you to the lab to draw your blood, which someone else analyzed.

Up until that point, the people you’ve seen are collecting information, which they then relay to the physician. That doctor reviews it, and only then do they come in to share their diagnosis and prescribe something to help you feel better. Because all the groundwork is laid and everything is being handled by other people, the doctor only has to spend 15 or 20 minutes with you. It’s an efficient way to make sure you get the help you need, without wasting anyone’s time.

Can you imagine if, instead of that process, there was a group of doctors sitting in a room together, and every time someone got sick or hurt themselves, the doctor was in charge of gathering their vitals, asking about their symptoms, checking on the results of their last blood test, and so on? In other words, the lion’s share of the doctor’s time was spent validating the situation, instead of relying on their nurses and other staff to do that?

It would be incredibly inefficient—and expensive. And yet, that’s exactly the model traditional cybersecurity follows. Highly trained, highly paid cybersecurity analysts spend their time triaging and validating alerts, instead of focusing on addressing the real threats.

Given how important cybersecurity is, I think there’s an opportunity to improve the model so that it’s more effective, more efficient, and ultimately more cost-effective. And the solution is far simpler than you might think.

Where Does the Time Go?

Any cybersecurity team will tell you that, once you start monitoring your digital assets, you will start getting a multitude of alerts about potential threats and attacks. In most cases, the alerts are false positives. In other words, there was no threat. But, because some of the alerts are true positives, each and every one needs to be analyzed and triaged.

In our current model, it’s the cybersecurity analysts who spend their time going through and seeing which alerts are valid and which are not. Think back to our doctor’s office: asking your specialists to analyze every alert is akin to making your doctor take every single patient’s vitals. It’s not an efficient use of time.

Instead, analysts should be like the doctors of today. They should be focused on dealing with the real issues, the ones that tie into their specialty. To start to shift that model, think about where your security team is spending their time.

How much of their time is being spent in an area they specialize in, whether it's computer security, incident response, forensics, database security, or architecture? For most companies, the answer is “very little”—and that needs to change.

Inverting the Model

The big question, then, is how to do that. Alerts still need to be monitored, so how can you change the model so your specialists aren’t wasting their time checking out false positives?

The key is using tools with better algorithms that have been refined over the course of time. These tools allow you to empower your end users (your employees) to triage the issues instead. That, of course, means your specialists don’t have to spend their time validating issues, and instead can spend their time dealing with issues in their areas of expertise.

Along with the tools, you can provide annual corporate compliance training, periodic training, and phishing and awareness training to your end users. By taking these steps, you turn your entire employee base into your first-line security operators, and you free up a lot of time for your specialists to focus on bigger issues.

Compensate for the Lack of Cybersecurity Professionals

Along with being more efficient and effective, turning your end users into your testers and validators has another benefit: it fills potential gaps in your security team. There’s a current shortage of filled cybersecurity positions, which means that, for many teams, there aren’t enough people to do the job.

In fact, I’ve seen reports that there are as many as 3.5 million unfilled cybersecurity jobs. That means there’s a high likelihood that you won’t find as many people as you need, which makes it even more critical that you support the people you do have as much as possible, so they can spend time doing what they specialize in.

Structuring your teams so that your specialists are focused on higher ROI (return on investment) items that align with their expertise is the smart move. It will save you money, and it’s the best way to protect your organization. 

And with this inverted model, because your employees are trained in validating and triaging issues, if they identify a potential breach or other issue, they can reach out to the appropriate specialist. You aren’t losing anything; your employees can make informed decisions, because they will be using better tools with better algorithms, and they’ll have the necessary training. 

The Attacks Will Just Keep Coming

There’s no getting around it—cyber attacks are just going to keep coming. Organizations of all sizes and industries are dealing with ransomware attacks, digital attacks, and more. It’s imperative that you’re prepared, and the best way to do that is by focusing your entire organization on your digital security.

We need to flip the traditional model on its head. Get your employees engaged and aware. Make them like the patients at the doctor’s office, who do preliminary work before they see the doctor. 

In this case, though, teach your employees how to do the preliminary triaging before an alert shows up on your security operations center’s desk. Trust me: it may seem like a radical idea at first, but the benefits far outweigh the risks.