Organizations that have a security-first mindset are better prepared and better able to respond to security threats
In the mid-to-late 1970s, the PC represented a major shift in the technological balance of power. It allowed small businesses to analyze business data without the need for a mainframe infrastructure, and use those insights to compete with larger businesses that were burdened with a higher cost structure and limited ability to be agile.
Fast-forward to the present day and the dynamics are similar. Except instead of the PC, it is the cloud that is the great technology equalizer. Democratizing fast, rapid-scaling compute power allows any startup to create world-changing innovations with fewer resources and in far less time. But these services are not just for startups; organizations of all sizes are consuming cloud services to capitalize on the promises of speed to innovation, getting closer to customers and creating valuable insights that can translate into competitive advantage. Conversely, these services also allow the competition to respond faster and reduce the time gap of advantage to commodity.
In our last piece, we discussed how shadow IT remains a threat to businesses that are facing the competitive pressures of speed and innovation, and are enabled by the very easy provisioning of powerful cloud services to help. In this piece, we’ll explore how security leaders can not only win in this seemingly impossible environment but also thrive as critical partners in executing a successful modern business.
Realistically, most companies are now technology companies. Think about shoe manufacturers selling personalized shoes over the web, fashion boxes crafted monthly based on a few stated preferences, networked medical devices, camera-enabled doorbells, smart refrigerators and even internet-connected exercise bikes. All of these things generate value for customers but depend on increasingly complex technologies, a web of service providers and the collection and use of massive amounts of data. In this environment, gone are the days that security teams only had to monitor the single database storing cardholder data. They are now responsible for an entire value chain that may or may not be completely in their direct care. This new reality mandates that security leaders take a different approach.
Those That Lead the Way Write the Rules
It wasn’t long ago that information security as a profession was so small and with so little influence that most major companies didn’t even have anyone with that skill set on staff, despite massive technology advancement and investment. But as CIOs wielded their influence, the best of them figured out that being an agent of company innovation was the best path for both organizational and career success. With that influence came the ability to define how technology would be implemented and, in some cases, how security would play its limited part.
As a seasoned security consultant, what I now advocate for is that security executives who want to win step up to lead the organization in achieving its goals. Instead of playing from the side or the back writing governance rules and blocking innovations, lead from the front. That means proactively creating the plans for migration to the cloud, implementing DevOps and getting innovative technologies to the market, while simultaneously creating the guardrails to ensure good process, good governance and operational excellence—that all contribute to good security. When Security leads, both Security and the business can win.
What does leading the way look like? Here are a few suggestions to help along the journey:
Cloud architectures, design thinking and DevOps have taken innovation cycles from years to weeks, sometimes even to days. But cyber teams have been known to feel a bit uncomfortable with new architectures that can threaten the status quo and, conceptually at least, increase risk. Since Security can lead the organization to do this in a safe way, such initiatives need not be seen as threats.
Just one example can be found in creating formal written security standards for cloud services, but in a way that makes these services accessible to the business. Nowadays, it’s common for teams to use what are known as security scripts to build new virtual servers when extra computing capacity is needed. Building scripts to pre-determined, pre-hardened standards means new virtual servers can be stood up and available for use both swiftly and safely, even dynamically in response to varying processing loads.
In the DevOps model, the development team becomes the first line of defense; the Security team must enable them by teaching secure development techniques and practices that tie back to corporate requirements. That’s attained by enabling developers to work in a continuous deployment environment, but with the know-how of secure development practices and the guardrails of built in-code analysis tools that look for vulnerabilities. Additionally, building compliance into software design really helps to create the kind of environment that security leaders have long wanted. In the process, developers and even product leaders can become an extension of the security team. It’s a win-win.
In thriving DevOps environments, I’ve witnessed developers applying tools that have reusable, hardened code blocks for common functions such as login boxes and profile forms. They’ve had code analysis tools that will scan code on check-in but before deployment. They’ve had regular review sessions with application security experts to review mistakes and create learning experiences from them. But most of all, they recognized that the goal is never met and there is always a way to get better and more effective at quickly delivering secure code to production; they use their creativity to make it happen—together.
Enabling Business Leaders
Security can enlist people across the organization, from top to bottom, by teaching them how to identify threats and report them properly. The entire team can become security champions, with alert eyes and ears adding protective value just as any detection technology does. Such a culture will further the spirit of partnership between technical and business functions, helping to overcome the traditional tensions that often exist among these groups.
For example, I know of one CSO who uses breaches that are making headlines—particularly at companies similar to his own—to develop and execute internal wargame-type exercises that help people across his company recognize and avoid similar threats. The associated storytelling makes it real for the staff who work in portions of the business not involved in security on a day-to-day basis. It helps the whole organization develop a vested interest in security, and keeps the business and technical teams on the same side.
Security Infrastructure and Compliance Accountability
While compliance can often end up on the shoulders of the security or IT team, it is, in reality, a business function; therefore, business leaders should own it. In situations where business functions do not accept the responsibility for the data they’re collecting and managing, they can sometimes make decisions that take the organization out of direct compliance, without suffering any consequences for those decisions. Security ends up having to respond—or, in a worst-case scenario, clean up the mess after a breach.
Instead, a more productive approach is for IT or Security to provide regular report cards to the business units on how their area of responsibility measures up on compliance. Business leaders can then use that data to ask thoughtful questions of their teams and become more deeply involved in how compliance is working or where improvement is needed. Here is yet another opportunity for standards. Security can define data-sharing parameters within pre-determined standards so that compliance will be the result. But the business ultimately still owns the responsibility. Security won’t stop poor decisions from being made, but it will report those decisions back so corrective action can be taken.
Managing Third-Party Risk
The third-party ecosystem that almost every modern business relies on introduces further data risk. Because legal responsibility remains with the data owner, it’s very important to understand what the vendors and cloud providers you entrust with your data are doing to protect it, and what standards they use in delivering their service. That extends to what third-party services they’re using, how those services are managed and secured and, ultimately, monitoring how those third parties manage their own third-party risk. It is in effect an extensive data supply chain that is becoming more and more difficult to oversee. Such extensive networked exposure is something to watch in 2019 and beyond. It’s also a ripe domain for seeking outside help. The major cloud providers won’t allow every company that does business with them to audit them individually, so working with organizations that collect and monitor their compliance attestations can offer a leg-up on the process.
By tackling these strategies from a position of leadership, the relationship of security to the business is transformed. The company—and its customers and vendors—are better for it.