Taking the ‘right’ risks and reaping the benefits
November 21, 2017
We are beyond the early days of the internet where everything security was viewed as in terms of firewalls and network appliances. Security solutions have extended beyond a binary outcome (pass/fail). More mature organisations build a context around their policy, that is, given the context and nature of the event, and what has occurred, then these are the controls we build in. Below are some of the security aspects that are seeing a change in the industry.
Real-Time Visibility of Security Posture
Often there is a problem where security managers and executives do not know what their current security posture is. Without knowing where they currently are, how do they know where they are meant to go? The traditional approach is to hire an external consultancy to compare the current security maturity to external standards such as ISO27001 or PCI-DSS. The findings upon which will be a subjective analysis based upon a time-boxed set of interviews and subset of documents, rather than what is actually in the environment. The response and analysis to which can be shaped by what the auditor perceives. This is not to discount the role of an external auditor, however, in this changing climate, these audit controls need to be automated and assessments cannot wait until the next time there is funding for an external consultancy and a maturity assessment.
General controls are typically assessed from two aspects: design effectiveness and operational effectiveness. The guardrails built into your CI/CD pipeline form your design effectiveness. The operational effectiveness is where monitoring and security orchestration tools come into play. The benefit of going to cloud service providers is that there are ‘plug and play’ products that can give visibility. Stax is one example of that. Executives expect quarterly cybersecurity reports that are given at a high level with quantifiable targets and outcomes to achieve. Managers then spend at least a few days of effort every month generating Governance Risk and Compliance reports. This is reduced to an automated task that can be produced in real time.
Automate Security Auditing
Security consultants are designed to be advisors, not auditors. With the shortage in cybersecurity resources, time is better spent on automating controls, not on ticking check boxes and spending half a week generating monthly compliance and executive security reports.
Migrating to the cloud was considered to be a significant risk ten years ago. Do not misunderstand – just because you migrate to AWS, it does not automatically grant you all the certifications that come with AWS. It does, however, give security professionals the optimal opportunity to leverage new and shiny tools, build in the automated security controls and enhance visibility of their own resources. Ten years ago, it was hard to find out whether a server was misconfigured until it was too late. Now, it is an API call away.
Reaping the benefits
Build in the controls, then trust and verify. Trust that your developers know what they are doing but verify – after all they are humans and humans make mistakes. Good developers are proud of the code they wrote. They will want to share their learnings, learn from others and build in continuous improvement into the pipeline. Your developers know the ‘ins and out’s of the application and where it could be improved. This enables the company to fine-tune their policies. Greater visibility of how to improve the code and the technology with static code analysis and runtime vulnerability management scanning, will ultimately educate the developer community.
Building in those guardrails to ensure that the company’s vision and strategy stay on track, and does not veer off-course in the future is part of business strategy. Every business incurs some form of risk, the role of a ‘trusted advisor’ is to inform the business of its risk. This transforms the role of the security professional to be that of a ‘trusted advisor’ rather than that of a ‘paranoid pessimist’ whose only answer is a simple ‘yes’ or ‘no’. Rather their answer is ‘yes, if….’.