As rapidly evolving technology drives disruptive changes in business, government and society (The Fourth Revolution), many organizations are struggling to reconcile two strategic objectives that often seem in conflict. On one hand, they must become more agile and innovative, delivering new capabilities and/or products to market more quickly than ever before, or they risk becoming irrelevant. On the other hand, they must rapidly (and in some cases radically) improve their cybersecurity posture across the entire enterprise, or risk devastating fallout from data breaches or other cyber-attacks.
In many large enterprises, this boils down to a tension between business equities that want to go faster and consequently accept more risk, and cybersecurity equities that want take less risk and therefore go slower. While this is a significant oversimplification, many traditional CISO organizations are indeed focused on control and compliance, and are perceived by business/product lines as a drag on innovation and time-to-market, if not an outright obstacle.
This stems from a legitimate need – CISOs are responsible for ensuring that production systems, networks and data are as secure as possible. To do this, they need to understand how proposed changes or additions impact that security posture, and in large organizations with complex systems, this can be difficult and time-consuming. The threat of attacks is very real, and the impacts can be catastrophic – the recent Equifax breach is a prime example.
Is the reconciliation of this tension an insurmountable challenge? Many experts do talk about the benefits that IT modernization can have on cybersecurity, and this is a good start. It is indeed true that legacy infrastructure, applications, and operating systems pose some of the greatest risks to information security. Upgrading endpoints, network and server hardware, and all layers of the software stack can result in vastly improved cybersecurity.
Unfortunately, this is a classic case of something that is necessary but not nearly sufficient, because it doesn’t address the core conflict between velocity and risk. When people discuss IT modernization, they are usually focused on upgrading technology to be “newer and better”, not transforming processes and people to be “faster and more agile”. This type of modernization doesn’t change the relationship between the security organization and the business and/or development organizations.
It turns out, however, there is an area where the interests of these “competing” agendas are rapidly converging: automation. Development organizations are aggressively trying to automate build and deployment pipelines, and operations groups are seeking to automate the provisioning and management of infrastructure. Forward-leaning security organizations are quickly realizing that both are a very good thing for cybersecurity, if done properly with security in mind. For this reason, an increasing number of leading practitioners are discussing not just DevOps, but DevSecOps (or SecDevOps, or DevOpsSec!).
In many organizations, it is the CIO or CTO seeking to drive the DevOps transformation, often to satisfy business stakeholders who want capabilities faster and with higher quality. To be successful, it is clearly necessary for the CISO to support and adapt to this change, but there is a much bigger opportunity to be seized. I believe the most progressive organizations will undergo the Cybersecurity Inversion.
Instead of being perceived as compliance police who impede speed and agility, CISOs must begin to turn the tables and invert that perspective. The security team in many organizations has or is quickly gaining significant authority, influence, and resources. This puts them in an ideal position to drive transformation efforts that benefit the organization greatly, while also improving cybersecurity posture – and the move to DevSecOps is a wonderful place to start. Instead of being dragged along (in some cases kicking and screaming), the CISO should be doing the dragging – driving the CIO and IT organization to move aggressively towards modern techniques and technologies for success in a digital world.
For any CISOs that aren’t quite convinced of the value of taking a leading role in the Digital Transformation of their respective organizations, consider the following:
- Automation of software build and test processes allow for continuous integration of information assurance and cybersecurity compliance activities, generating real-time data based on ground-truth, as opposed to manual paperwork-based compliance
- Automated provisioning and deployment using virtual infrastructure (think Cloud and Infrastructure-as-Code) allow for repeatable “deterministic deployments” that can guarantee a trusted state
- Systems that leverage container technology can ensure that applications are assembled from signed, immutable instances that have been certified to meet security standards.
- Modern, loosely-coupled application architectures built on “throw-away” virtual compute infrastructure can make it significantly harder for Advanced Persistent Threats to dwell and migrate
- Investments in emerging technologies such as Artificial Intelligence, advanced data analytics, and adaptive networks promise massive payoffs in the cybersecurity realm.
To put this in context, let’s return to our prime example. While it is still early, the recent Equifax breach (one of the worst in history) is believed to be the result of poor basic application security combined with the exploitation of a vulnerability in a popular open source software (OSS) framework. A reasonably mature DevSecOps approach, including embedded security expertise, automated code scanning, and configuration management of the software supply chain (such as OSS frameworks and libraries), would almost certainly have mitigated both issues. Note: OSS frameworks are a very good thing, but can have vulnerabilities just like commercial off-the-shelf software. In many cases, the vulnerabilities in OSS are found, reported, and addressed much more quickly and consistently than in some proprietary software.
Like all worthwhile endeavors, pulling off the Cybersecurity Inversion will not be easy for most organizations. It will require significant and difficult changes in IT’s holy triumvirate: people, processes and technologies. The CISO organization will likely need to develop or acquire expertise in several new domains, and drive major shifts in attitudes and relationships across the enterprise. It will require adopting a customer-centric mentality while preserving the ability to enforce desired behaviors and practices.
In the end, though, the payoff could be huge: an organization that increases velocity, agility, and innovation – while reducing risk at the same time – an excellent recipe for thriving in the modern digital era!