Governing the Modern Cyber Security Landscape
With the evolution of cloud and automated security solutions, modern security teams are facing a rarely spoken of challenge: Governance
As an Enterprise Security Executive, I work with many enterprise customers on the security components of digital transformation in their organizations. One trend that I have noticed is that our industry is far too product focused: Most organizations aren’t lacking security products or even security capabilities in many cases. What they are really missing is the foundation that ties those products and capabilities together.
What they really need is proper Governance.
Legacy security strategies built on leveraging point providers have created skill challenges for those moving to cloud solutions from the old on-premises solutions. Moving to new cloud infrastructures gives organizations an opportunity to fundamentally change their protection strategy to accommodate available skills, rapid deployment capabilities, and management needs.
Roles and job titles need to shift as well
We need to find new and innovative ways to reorganize and train existing security teams to operate in a world where the network perimeter is no longer defined by subnets and gateways.
Architectures are shifting from large waterfall style projects, to an agile mode of continuous evolution and deployment. We can automate so much more today than we ever could in the past; which means we a have greater opportunity to reduce manual processes. Scalable cloud services are moving us away from individual information systems and hackers are getting ever more adept at developing and carrying out elaborate attacks. These attacks occur at all layers of the stack, including: credential theft, “living off the land” in SaaS applications, and in custom Line of Business (LOB) applications.
While the core mission and “what” that security provides remains consistent, the tools, skills, and practices of “how” security accomplishes this is changing significantly.
Key areas of change include:
- Administration — Administration evolves from manual tasks to authoring, maintaining, and monitoring automated procedures. The focus of administrative tasks will move from a heavy focus on people and processes, to more of a focus on technology governance. This is a significant benefit for security as automation only offers a single opportunity for human error, whereas a repetitive manual task offers many. Additionally, more scrutiny is typically applied to automation scripts and processes vs each iteration of a manual administration task.
- Network Containment — The discipline of risk containment with network security is evolving from a singular focus on a single technology (networks) to designing risk containment strategies and controls that span all layers including Network, Application, Identity, Data, and more.
- Development Security — As development shifts to a DevOps model, application security professionals become embedded security subject matter experts (SMEs) in the development process rather than holding a passive role in a quality gate.
- Security Architecture — This becomes a discipline that continually engages each team to constantly improve the architectures and implementations rather than engaging in an initial direction, then as a quality gate role in large waterfall style projects. Before Dev-Sec-ops was established, teams would not conduct regular or complete code inspections. These tasks were simply trusted to be done by the engineers. With security experts directly involved in code deployment, regular testing and inspection occurs reliably, thus reducing errors that could result in a breach or vulnerability.
Conclusion
The organizations reach no longer stops at the edge of the internal network. With the advent of powerful cloud and automation solutions, security teams not only need to be able to properly establish and maintain their security array, but also properly govern the people and processes involved.
