I’m in the business of detecting attacks and understanding the nature of those attacks so that people can contain them. If I had to stack the challenges that organizations face in achieving security, I would put the lack of skilled, available labor as the biggest one; poorly implemented technologies and poorly run IT next; and poorly run security third. And really, they’re all related.
The lack of skilled IT staff is just the fact that there aren’t enough people to do the work that’s required. The pool of labor simply can’t grow quickly enough. In large part, it’s because people don’t have opportunities to get into the business and learn in practical ways. Or, they’re mismanaged by unskilled leadership in those technologies, so you wind up wasting your security investment after the fact.
With every change to a product’s codebase, there is the possibility of issues and the possibility of security vulnerabilities.
Another part of it is the IT department understanding what the business needs and leading the organization down a path that will take them there. So much of this comes down to communication. Security is all about inner-species communication among security nerds or really technical talent, the people who understand regular IT processes, and people who understand what the business is about.
The people who build and operate systems and are supposed to help the business often have no idea what the business does. But the people who are in the business don’t understand IT, either. Regular IT people, like developers or systems administrators, will implement new services or change services without any regard for the security implications, which leads to system vulnerabilities. There needs to be someone—typically, business analysts or IT leaders—who can figure out how to cross boundaries between IT and business processes.
Poorly implemented technology is also an issue. In many organizations, the IT department runs poorly because of a lack of integration between functions and a tendency to do things that are too big. For example, products tend to have updates once a year or maybe once a quarter. Those product updates will include new features and bug fixes, and they’ll include lots of changes. With every change to a product’s codebase, there is the possibility of issues and the possibility of security vulnerabilities.
Security managers need to show business and IT leadership the value of small, frequent releases and standardization.
The solution is to release more frequently, with less stuff in each release. DevOps is a strategy that’s increasingly being used to create more releases and reduce the cost of the release cycle itself. Because you can release more often and thereby reduce the amount of change in the releases, the results are easier to fix.
Netflix does this beautifully. It’s a sophisticated, very mature organization when it comes to DevOps. Then, you have most of the world, which is backwards and still trying to do things as if they were hoping that mainframes would come back. To break this cycle, security managers need to show business and IT leadership the value of small, frequent releases and standardization. One way to do that is to introduce these leaders in forums, where they can compare notes and see that another world is possible.
Then, you have most of the world, which is backwards and still trying to do things as if they were hoping that mainframes would come back.
The last issue is poorly run security programs. There is the necessity to maintain technologies after implementation. For example, we have many customers that will invest heavily in the purchase and installation of security tools like firewalls. Unfortunately, those companies make heavy investments in the security program, but then they don’t maintain or continue to develop those technologies. The tools just rot on the vine, leaving the organization unable to respond to threats as they happen and unable to integrate IT systems in ways that are secure.
Organizations need to simplify operations. They need to simplify IT environments. They need to reduce the variety and diversity of systems and tools so that there are fewer changes that are easier to manage. Firewalls can reduce the amount of noise by simplifying and normalizing the amount of network traffic that goes in and out of a network. They can also reduce the kinds of network traffic that passes through your network perimeter. The fewer things you pass through and the more standard your application programming interfaces, the less you have to think about and the smaller your attack surface.