What amazes me about security consulting with the enterprise sector is how fast trends, solutions, and problems can be witnessed rippling across the industry. The work my division supports involve clients whose products are used by millions, if not billions of customers. If anything, the problems enterprise organizations struggle with the most are operational “people problems”. The operations of dealing with thousands of employees and billions of users drives the difficulty of problems in security “at scale” upward.
Enterprise companies usually suffer from similar problems, benefit from similar approaches to solutions, and generally have similar sounding grievances in trying to solve security issues “at scale”.
If only but to help you feel less alone if you work in one of these large organizations, I decided to coalesce the top trends I witnessed across the enterprise in 2018 and banter a bit about them below.
ONE: There just aren’t enough people to go around in vulnerability management, triage or remediation…and adding more people isn’t really a good answer.
Companies in the enterprise space are generally struggling with headcount issues and this is especially apparent in the high effort, low glory realm of vulnerability management. There are a lack of qualified individuals who want to handle vulnerability management and not exactly a pool of folks dying to break into this part of the industry. In fact, in my experience, most people who get into transactional vulnerability management roles eventually burn out and seek opportunities elsewhere. The feedback I have received in 2018 is that vulnerability management, triage, and remediation at the enterprise level is a real grind that might benefit from some level of reform.
In short, the tedious nature of vulnerability management in the enterprise space now necessitates either outsourcing to a managed services vendor, or performing custom engineering of internal solutions that provide easier mechanisms for triage. Some companies have chosen to do both to protect their employees from task fatigue.
A key issue in this space is the lack in quality from heavily automated managed services providers, and the disconnect in strategy between current MSSP vendors and the more collaborative type of managed services needed in this space to be effective. Expect solutions to come from security vendors this year to help with this battle.
“Shift Left” is happening in defensive security with positive technical effects and negative operational ramifications.
Whether it’s the rollout of static analysis of code early in the development cycle or threat modeling and design reviews of new features or applications, the “shift left” mantra has hit the security industry in a big way.
The enterprise software space has especially embraced threat modeling and design reviews especially as a means to discover key architectural problems prior to intensive and costly re-engineering efforts. There are many positives to this, like the discovery of critical flaws prior to release which would otherwise likely be exploited to damaging effect. The negatives are that timelines from leadership rarely reflect the considerable design changes that need to take place in order to ship secure products once architectural issues are discovered. In fact, for the most part delivery times have seemed to remain constant, as if the only security assessment still in effect were a code assessment or penetration test like in the old security assessment models.
The additional time necessary to perform “shift left” security activities can cause significant frustration inside of corporate development teams — especially in companies who rely on hard and fast deadlines for product deployment.
Companies with strong bonds between engineering and security have started making changes to their delivery model to ensure that remediation timescales no longer delay product release dates, but for the most part, this is a dissatisfying operational trend I expect to see even more in 2019 as product management teams get surprised at the additional time necessary for architectural remediation as recommended by security teams post-engagement.
For companies now ramping up their pre-release review efforts with a focus on upstream SDLC engagement, increasing cross-team communications here will help to allay these issues ahead of potentially difficult circumstances.
M&A deals are reaching security teams pre-term. Get a plan in place.
In years past, M&A has been a source of discontent for industry peers as discovery of a deal in progress has often occurred too late to take considerable counteraction to protect the acquirer. But this year, I witnessed an unprecedented number of pre-term M&A engagements. In many ways this was welcome because it gave companies time to contemplate how to best assess the targets, which factors were most important to evaluate, and how to integrate the target most securely.
But one recommendation I’d like to make is that security and legal teams should meet more often and form a readily accessible relationship, as most friction witnessed in these areas has involved issues of a legal nature that security teams are mostly ill equipped to handle.
This problem space is going to intensify. The software industry is rapidly consolidating — in 2017, 655 tech companies were acquired by tech companies.
One alarming stat — — in 2017, 682 tech companies were purchased by a company in an industry other than technology. Many of these non-tech companies acquired their first tech company, and the broad lack of M&A technical due diligence witnessed on these deals gives me pause.
M&A will continue to be a pressing matter for security teams — most companies are at best still in response mode when this occurs and so defining rules of engagement between legal, security, and leadership seems to be a great way to kick off 2019.
On-boarding is broken.
This is an issue that has existed in security for over a decade and persists to this day. It is costing security teams a figure large enough to be embarrassed about on all sides — vendors, clients, and industry luminaries need to come together on this issue, however boring it might be.
Strict on-boarding requirements are a necessity for most enterprise companies, and for good reason. But I believe it has come time to develop a readily accessible solution here to avoid costly delays in projects and burned security budget. Custom background checks and other requirements for access often come late on otherwise fast-moving projects, causing major headaches for clients and vendors alike. The results? Sad teams on both sides.
Better communication between legal, security, and leadership levels have ameliorated this problem at some organizations who work closely with one or two main providers of services to develop a highly custom process that relies on familiarity of resources. But the continual churn of employees and vendors at most companies makes this a problem that I think should be looked at from a strategic industry-wide level. I believe vendors will develop solutions or define framework level process improvements to help solve this issue that can be used by the community at large.
If there are solutions or ideas to solve this frustrating problem, I think the industry is all ears.
The most valuable person inside your security team in 2018 might have been the program manager or project manager.
Ten years ago I think most security practitioners would have scoffed a bit at a primarily non-technical, operations focused individual getting nominated as the security team’s MVP. I think those days are mostly gone as teams rely heavily on program and project managers to handle all of the chaos of security programs seamlessly. Needless to say, it is a respite of calm to move people-based operational tasks off to members of the team who make that their key responsibility.
Security engineers are less specialized and beginning to look and feel very integrated with the rest of engineering at software companies
Many companies are selling security as a feature in their products, and this is driving security members to be involved with engineering from design onward to production.
In many ways this is a welcome change at the enterprise level, as the power once seen in “security as a silo” models (aka check in my product and help me fix it) is de-consolidating rapidly back to the “security hand-holding” model. This will eventually derive an even larger need for security engineers as their workload of projects becomes larger and less readily achievable.
It’s worth noting that the consolidation and de-consolidation of security at companies happens every two or three years with the tides apparently.
I’m sure there are more interesting things I’ve missed or run out of time to discuss. What are your observations? Any solutions to some of these areas? Would love to read your comments here!