The modern day CIO has a rapidly growing number of priorities, most of which are driven by the mega trends of digital transformation and cloud migration. They must also spend time and resources ensuring that the existing lines of business continue to function seamlessly and drive revenue. This frenetic environment is best described pictorially (below) and a pure tactical approach will certainly result in sub-optimal results.
Security is important but not a priority
Too often, security is an area that tends to lag behind other initiatives and is often “bolted on” at the end of a project or migration. The result is that remediation of any issues is rushed, mitigating controls are put into place as a stop gap, or worse yet, a conscious decision is made to absorb the risk(s). Security teams, which are already overburdened and often understaffed, start to add more tools into the environment to attempt to provide defenses and insight into the insecure areas. The main issue with this “scale out” solution of individual products and point solutions is that they typically require some level of manual intervention. If that change in behavior is required by the developers, they will typically only use the tool periodically and inconsistently. On the other side, if the tool requires the security engineer to perform a set of actions, that will also be inconsistent due to the aforementioned talent shortage.
Strategic security planning
Now that the challenges have been outlined, what is a CIO to do in order to better integrate security into the environment and strengthen the company’s security posture? Given my former role as a CIO in large enterprise environments, I’ll provide a real-world approach and a set of best practices to establish a baseline of the current security posture. The most important action you can do is to get started because security is an ever evolving challenge and practice. Getting started and/or developing a path for improvement is the most important first step.
5 best practices
- You can’t secure what you don’t know about – Visibility is paramount for security, so the first step is to perform a comprehensive audit of all existing code repositories, application environments/deployments, and any external, third-party services that are being used. In conjunction with this audit, document any security tools and solutions that are being used or have been deployed. An important part of this process is to also meet with several members of the dev, devops and security teams to get a view into a cultural bias and differing views of security. Do not underestimate the value of this part of the process as the cultural transformation will be more challenging than the technical aspects of execution.
- Prioritize, prioritize, prioritize – Now that you have the inventory audit completed, it’s time to perform the risk assessment. Assign a score to each major asset based upon the potential adverse effects to the business if there was a security issue/breach. Even though the goal is to deploy a strategic framework, you need to start somewhere, and that starting place is obviously at the most crucial business asset. It is also important to realize that this assessment is not a static exercise, as risk is really an elastic entity and the corresponding level can change quite often in a high-velocity business.
- Seamless integration, not bolt-on – Security solutions have tended to be point solutions instead of being integrated into environments and workflows. For software, organizations have an opportunity to integrate security far left into the product development process as possible. Teams can remediate defects early on in the cycle, saving time and money, as well as increasing overall security assurance. In my experience, this approach creates a much more collaborative environment and brings the security team into the development lifecycle. Over time this can transform the culture into true DevSecOps. Security tool integration should leverage automation and orchestration to provide repeatable approaches to security testing. “Automation” improves the vertically focused manual tasks, and “orchestration’ ties together all of the disjointed processes into a single view.
- Security metrics – You can’t improve what you can’t (or don’t) measure, and a couple of KPIs to track include your IRD – Internal Rate of Detection – and your IRR – Internal Rate of Remediation. Too often the focus is on insurance and passive defense, and my advice is that you should start thinking about assurance and leveling the playing field by taking more offensive approaches to security. By tracking how many security issues are detected during the development cycle, when they are detected and how quickly they are remediated, you can then present that data to the CEO and board to have real discussions around what is working, and what still needs to be improved upon.
- Continuous assurance – Code and application security testing has typically been a periodic, manual process, and even highly regulated industries adhere only to their respective compliance requirements (e.g. PCI-DSS requires a penetration test two times per year). My experience suggests that the process of security assurance needs to be a continuous one where any significant change that is delivered to production is scanned for vulnerabilities and any issues discovered are remediated at that point and time. This fast feedback loop has proven to actually increase delivery velocity and improve overall code quality. (source: Sonatype’s 2017 State of the Software Supply Chain)
Stop the FUD and get started
The security marketplace and landscape is fueled by FUD – fear, uncertainty and doubt – which is often the driver of security projects, if not strategies. In my experience, this approach does not help to improve overall security posture and a completely new approach needs to be taken. As you evolve your security strategy with some or all of the best practices I’ve outlined, consider building for confidence, assurance and visibility, as these will ultimately help to improve your resiliency. I hope by outlining the approach that has worked for me, you can start implementing your security strategy and accelerate development velocity in the process.