How to Structure an Effective Digital Defense Team

Today’s cybercriminals are increasingly sophisticated. Just downloading some antivirus software isn’t nearly enough protection against them. Instead, guarding your organization’s digital assets on a constant basis requires a strong digital defense team. 

But where do you start? How do you create a well-rounded, effective team? How can you create a team that will have the right expertise and specialties, without wasting money on any unnecessary roles?

I’ve helped a wide variety of organizations build their digital defenses, and in the majority of cases, those are the first questions they ask me. If you have the same questions, I’d like to share the same advice with you I give to them: start with identifying your digital assets, and then build a layered, comprehensive team that can monitor and protect those assets.

#1: Start With an Inventory

Creating a team that can effectively defend your digital assets begins with inventorying those assets. It may sound obvious, but it’s a step many people miss (or at least do incompletely). And here’s the thing: no matter how good your team is, if they don’t know about an asset, they can’t protect it. So, what does your team need to defend?

To answer that question, think about all of your systems and applications. That includes your printers, your Internet of Things (IoT), and all the other things that make up your threat landscape. Identify every single thing that has an IP address.

Remember, the very technology that empowers us can also imperil us. That’s why it’s so important to think very closely about what can be touched in your cyber realm. What do you need to continuously update? That is your battlefield. Those are the digital assets in your environment that you need to identify and defend.

#2: Build the First Layer

Once you’ve identified your digital assets, you can start to build your digital defense team. I recommend starting with security operators. These are people who have visibility to all of your assets. They can access everything, because it’s their job to defend those assets.

Creating this first layer ensures you have a team of people who are monitoring your assets 24/7. Along with monitoring against attacks, they should also watch for any alerts and, over time, begin to refine the signal-to-noise ratio. In other words, they must review the data points coming in for insight that will help reduce the number of false positives (alerts that aren’t actually an issue).

This helps to streamline the team’s job, because as they refine their information and weed out false positives, they’ll be able to fully focus their attention only on true positives—things that really are attacks and other threats, and therefore are significant from a security operator’s perspective.

#3: Add Threat Intelligence

To increase the efficacy of your digital defense team, consider pairing your security operators with threat intelligence. In a nutshell, threat intelligence monitors not just your own internal environment, but the external world as well.

They get threat feeds, monitor the dark web, stay on top of what criminals are doing, and maintain awareness of how those criminals are developing attacks that could impact your organization or your supply chain. In fact, that’s one of their key benefits: they don’t just watch for threats to you, they watch for threats to your entire footprint.

They think through how you rely on vendors. Then, they think about the risk profile of those vendors. If a particular vendor went down, or was attacked, how would it impact you? What steps can you take to mitigate that risk?

#4: Bring it Back to Architecture

Both security operations and threat intelligence should work closely with architecture. The goal, of course, is to design your technology and architecture so it has good hygiene. The better you can do that, especially upfront, the less security you’ll need.

To create that good tech hygiene, your architecture team should work with your technology and product teams to think through how you can manage your tech today and in the future. This is especially important because many organizations are going through a digital transformation and adopting cloud-based technologies.

There’s nothing wrong with that, of course. However, your architecture team should think through how you can maintain your legacy data center and legacy defense models you’ve created in the past. They need to collaborate with technology, security operations, and threat intelligence to figure out how to transform and adopt cloud-based technologies in a way that provides the potential for scalability and optionality, but remains monitorable and secure.

Additionally, your architecture team needs to manage and continuously validate access among all of an organization’s technologies. They are responsible for deploying best-of-breed technologies, such as XDR, to all of your organization’s endpoints, then looping the security operators in so they have all the necessary information as well. Doing so allows for true visibility and awareness of what’s going on in the environment at all times.

#5: Plug the Holes

The last piece of the puzzle to building an appropriate digital defense team comes down to managing identity. Managing identity is critical because it ties into what each person has access to.

When employees (or contractors or consultants) join an organization, they get an organizational identity created for them. That identity is tied to certain systems and applications they have access to because of their role. 

But what happens when people move to a new role in the organization? The rights from their former role shouldn’t follow them. They should be given new rights that are appropriate for their new role.

Sometimes, of course, people don’t move roles—they leave the organization altogether. In those instances, their access should be quickly disabled. Far too often, though, this process takes a long time, because nobody is specifically monitoring it...and that creates risk. That’s why it’s important to include people on your digital defense team that specialize in identity and access management.

Find the Solution That Works for You

These are some guidelines—based on years of experience—to help you get started with building your digital defense team. Remember, though, that’s all they are: guidelines. Depending on the size and scope of your organization, your team may look a little different.

So, take some time to think about how much you need to invest in this space. What’s your risk profile? How can you best position yourself for today, for tomorrow, and for a decade from now?

Once you’ve answered those questions, hire some cybersecurity leaders who have experience and can help you attract talent and build the right team and the right security-focused culture. Because as you can see, maintaining a strong digital defense comes down to finding the right combination of people with the right expertise for your digital space.

For more advice on how to build a topflight digital defense team, you can find Cyber War…and Peace on Amazon.