Taking the ‘right’ risks and reaping the rewards

There is a common
perception of the stereotypical security professional who always says ‘no’. However,
there are a growing number of security consultants who have come to approach
new projects and clients with the response ‘yes – if….’. The role of the
security consultant is to ensure they have assurances over what the business is
doing, and to do that it’s not as clean cut as a yes or no answer.

Security has never been
about holding anyone back, but rather to protect the business by enabling senior
leaders to take the right risks, in
order to reap the rewards. To do this, the security consultant needs to have a
transparent view of the business. Then it’s about taking a layered approach, and
layering your recommendations with context.

Real-time visibility of security
posture

To better understand the
business and its challenges, it’s critical to know what your security posture
is. Without knowing where you currently are, how do you know where you are
meant to go?

The traditional approach
is to hire an external consultancy to compare the current security maturity to
external standards such as ISO27001 or PCI-DSS. The findings will be analysed
based on a time-boxed set of interviews and subset of documents, rather than
what is actually in the environment. The response and analysis to which can be
shaped by what the auditor perceives. This is not to discount the role of an
external auditor, however in this changing climate, these audit controls need
to be automated and assessments cannot wait until the next time there is
funding for an external consultancy and a maturity assessment.

General controls are
typically assessed from two aspects: design effectiveness and operational
effectiveness. The guardrails built into your CI/CD pipeline form your design
effectiveness. The operational effectiveness is where monitoring and security
orchestration tools come into play. The benefit of going to cloud service
providers is that there are ‘plug and play’ products that can give visibility. Stax is a perfect example of this.

Executives expect
quarterly cybersecurity reports and managers spend at least a few days every
month generating governance risk and compliance reports; however, this can now
be reduced to an automated task that can be produced in real-time.

Automate security auditing

Security consultants are designed
to be advisors, not auditors. With the shortage in cybersecurity resources,
time is better spent on automating controls, not on ticking check boxes and
spending countless hours generating monthly compliance and executive security
reports.

Migrating to the cloud
was considered to be a significant risk 10 years ago. It’s important to
remember, just because you migrate to cloud platforms like AWS, does not
automatically grant you all the certifications that come with AWS. It does
however, give security professionals the optimal opportunity to leverage new and
improved tools, build in the automated security controls and enhance visibility
of their own resources.

Build in the controls, then trust and verify

Trust that your
developers know what they are doing but still verify to check against human
error. A good developer will want to share their learnings, learn from others
and build continuous improvement into the pipeline. Your developers know the ‘ins
and outs’ of the application and where it could be improved which enables the
company to fine-tune their policies. Greater visibility of how to improve the
code and the technology with static code analysis and runtime vulnerability
management scanning, will ultimately educate the developer community.

The trusted advisor

Managers and executives
need to change their expectations around what the security team is providing,
moving beyond monthly reports, to see the security consultant as a ‘trusted
advisor’ to inform the business of its risk, rather than simply providing a yes
or no answer. And once the security consultant has a better understanding of
the business, and its challenges, only then can they enable a business to take
the ‘right risks’.