Approaching security self-sufficiency

security self-sufficiencyAs part of my role as CSO, I’m extremely lucky to get to have conversations with CISOs, CTOs, and other technology leaders across industries. One of the things that has always struck me throughout my career is how, while there are certainly issues specific to each business, the vast majority of the challenges we face as defenders are the same.

Towards that end, I wanted to share three common themes of predictions for the coming year that I’ve seen talking to technology executives across industries and around the world.

Velocity of application creation/delivery will continue to increase

Years ago, web applications were created and delivered under the Waterfall methodology in which releases often took place every six months at the quickest, all the way up to 12 or 18 months at the slower end of the spectrum. Over the last several years, the Waterfall methodology has been increasingly replaced with methodology and technology shifts like DevOps, Agile, CI/CD, and cloud.

While these new approaches often refer to different portions of the application creation and delivery process, the one common factor they all share is their focus on increasing velocity of development and deployment. The rate of these changes has increased rapidly over the last several years, and will accelerate even faster in 2017 and beyond. In order to keep up as these changes occur, we as defenders need to adapt the way in which we design and implement our defensive controls.

Prediction: The rate of adoption of DevOps and cloud in 2017 will increase even faster than previous years, and expand into slower-to-adopt industries such as healthcare and insurance.

Focus on building security self-sufficiency amongst engineering teams

Two of the most strategic challenges putting pressure on security teams today are the shortage of qualified candidates, and the velocity of application creation and delivery increasing by orders of magnitude. The sad fact facing almost every security team is that a vast majority of their time is taken up fighting fires and dealing with interrupts. Even if headcount was completely filled, this makes it hard to work on dedicated projects without being constantly context switched on to the incident of the day.

Simultaneously, the increase in velocity coming from development and DevOps teams means that changes to applications and infrastructure are occurring at a pace that is 10x or even 100x faster than even a few short years ago. These two pressures are forcing security teams to adapt and shift from being a blocker which slows things down (and ultimately is ignored by the organization), to becoming an enabler that helps the rest of the engineering organization move faster. The key to this is for security teams to focus on providing resources to engineering teams to allow them to be secure by default and become security self-sufficient.

Prediction: Increasing numbers of security teams across industries will begin to shift their methodologies from being a blocker to being an enabler for the business.

New defensive approaches begin to replace legacy ones

An additional challenge facing many security teams today is that while cloud and DevOps have changed the defensive landscape (often in positive ways), many of the legacy defensive solutions haven’t kept pace with these changes.

As part of this shift, security needs to similarly shift its mindset from one that exclusively focuses on gatekeeping/blocking controls to eliminate issues before applications are deployed to instead focus on obtaining visibility and continuous feedback and providing security capabilities that make developers/DevOps teams security self-sufficient. Likewise, the tools used by security and DevOps/development teams need to have a focus on enabling velocity by being built natively for cloud and DevOps, as well as a focus on providing value across the engineering organization not just for limited extremely specialized security personnel.

Prediction: Legacy security products begin to decline as defenders look for solutions that are built natively for use in cloud and DevOps environments.