Security is a boardroom topic and not a hard sell
these days.Not saying the job of the CISO has become easier,
but certainly getting funding is less of a herculean task as it used to be 10
years ago. Everyday we get updates about breaches regardless of the size or
cyber budget of the organizations. Smaller companies not investing adequately
in security capabilities are expected to face the heat but why the larger
organizations are hacked despite spending in millions and billions?This question requires a deeper introspection, it is
not always money that hinders a company’s ability to put up a solid hackerproof
defense. It is the combination of people, process and technological maturity
that should go hand in hand for stronger security posture. Fair enough but why
companies with humongous cyber budget can not bring the needed maturity to
improve security?
To me the answer is deeply rooted in four factors– a) trying to build a “best in class security” with a “defense in depth” approach that at times hurts more than any help b) decision paralysis in product selection c) lack of a clear RACI(accountability model) between CIO, CTO and CISO organizations d) too many checks and balances in governance process stalling implementation agility. This is a general theme I have seen in last 20+ years in security industry. In this article I will focus more on the first point and see if we can come up with a solution to address.Organizations usually don’t have a clear definition of need vs desire when it comes to picking security controls. Organic growth, M&A activities, fear of causing operational impact, breach news in the media and vendor pitch are some of the well-known factors for piling up security controls that is also a manifestation of a “shiny-toy syndrome”. Adding unnecessary security controls rather open bigger security holes than closing a few because the more tools we add, the bigger the likelihood of keeping unpatched or under patched security controls.As a result, we are opening holes, slowing down system performance, killing the incident response agility, adding operational complexity and last but not the least spending more on capital and operational expense. So, what is the answer here? Technology rationalization of the control set is the need of the hour to strengthen the posture, making operations more agile in responding to incidents and improve application performance. But industry is full of vendors providing overlapping coverage, every product has some niche strength that is important for security. How to do the rationalization? Do we paint the picture with only one or two vendors? Do we go for the best of the breed product in every control category? These are the usual questions coming in mind when we talk about control rationalization and my answer to this is the approach called ‘DIRT CLEAN’. When you have too many junk things in your house, you need to cleanup unnecessary things, the same applies in security control space.Developer experience
is a critical part when we make technology stack decisions. Security controls
should have open APIs for the developers to be able to access and fix their
applications without needing to invasively change the application architecture.
The tools should be well integrated with CI/CD pipeline and able to automate
using code. If developers don’t like the experience, they will bypass the
control. Importance level - HighIndustry trends
will be another aspect that we have to be keeping our tabs on. We don’t want to
add or remove a security control that is not on the line of the industry
trends. For example, if we select a control that is not artificial
intelligence, machine learning based supporting open API connectivity with
orchestration ability, we are not looking for the future. Importance level - HighRegulatory requirements will
be another area we have to be very careful about while adding or removing
security controls from our stack. We must be up to the speed on various
compliance and regulatory aspects like PCI-DSS, NYDFS, HIPAA, GLBA, MAR, GDPR,
SOC1/2 and many more based on the industry of operation. We can not afford to
do a rationalization missing the regulatory ask and being financially or
legally penalised by the pertinent authorities. Importance
level - HighThreat landscape
is the core requirement that any control rationalisation decision should be
based on. Pickup any framework (E.g. MITRE) that is TTP (tactics, techniques,
procedure) focused in identifying the strength and weaknesses of the current posture
before adding or removing something from the portfolio. Importance level - HighConsolidation of capabilities
will be a key focus area for technology simplification. Consolidation not only improves
performance or financial expense; it also improves the security posture by
reducing the attack vectors by keeping less things unpatched or under patched
by mistake. Importance level - MediumLean operating model is
something to be considered as one of the core principals of technology rationalization.
Leaner stack helps in improving performance, lowering capital or operating cost
while improving security posture with increased agility in operational response. Importance level - MediumEconomic sense will
be a major factor to be considered behind security control rationalization
exercise. The goal will be to cut down the budget from maintaining too many
security tools that add marginal value in improving security posture. Importance level - LowAgility in incident response
is probably the most important aspect of this exercise. Whatever security
controls an architecture or engineering team deploys are used by security
operations team. SecOps folks are the real customers of these tools. If the
tool does not enable them to faster identification and remediation of security
incidents, it does not serve the purpose of the operations team. Importance level - HighNegligible performance impact
should be introduced by the security tools for developers and business clients
to accept it. Importance level - HighIt
is observed that organizations often debate on best of the breed controls
versus consolidation of the capabilities. Often in order to do a data driven
product selection, security organizations forget to look at the basic things
like risk vs reward analysis, does not consider if the marginal security
benefit that warrants burning too much of calories in terms of detailed proof
of concept vetting. This results in a decision paralysis which causes more harm
by keeping the window of opportunity open to the hackers as opposed to an agile
implementation with less feature set to close a major security gap. So, we have
to be agile, burn calories judiciously during bake-off and follow the above-mentioned
DIRT CLEAN rationalization approach in an agile fashion to bring in the maximum-security
benefit to the organization.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
