Much has been said in the last five years about how security “needs a seat at the business table”. When this is uttered by a security professional, usually among other security professionals, everyone typically nods and looks at one another knowingly, as if this is a foregone conclusion. Well, it’s not.
Most security teams are still those thankless security nerds that focus on the compliance checkbox. Why? We provide real value…right? We’re defenders of the univer….errr, enterprise!
There are a lot of reasons why security should be a business enabler, and plenty of reality thrown into the mix as to why we’re not getting it right. Here are some of the thoughts that I have on the matter.
First, we have a real need to convince business leaders that they need to do away with legacy software and platforms. This one is still challenging in some cases, since there may not be viable replacements for very specialized systems in particular scenarios. There is a real factor to consider across the board: cost.
Aside from the costs of maintaining old software and systems (including licensing, additional “out of warranty” protection from the manufacturers, and specialized knowledge), we need more protection in many cases, too. Defense-in-depth is a great idea, but when your datacenter has moved on to virtualization and cloud, yet you’re still forced to run the old i386 system with Windows NT for that ancient manufacturing application, you have a real Achilles heel. There may not be any adequate protection for that system, and a strong wind could knock it over. Maintaining old stuff is expensive.
The ideas we have around risk, particularly when it comes to changing to new security controls and paradigms, tend to be technical in nature. What we often don’t think about is how our security tools, controls, limitations, policies, and more ultimately impact the overall business as it wants and needs to operate. We talk about risk and risk reduction all day long. From my experience, more security professionals than ever are getting in-touch with what their businesses actually DO - provide banking services, operate retail stores, make widgets, and so on. However, we need to think about both sides of the equation - what security controls and capabilities do we need to absolutely have, versus those that we’d like to have?
The other side to this story is one about increasing global competition, customer service, and the need to maintain the uptime and availability of critical business services. The business has to think of this first…but when do they become blinded to the need for new and innovative security capabilities by this “at all costs” mentality in support of business functionality?
For example, we’ve seen an astronomic rise in the use of cloud computing in the last several years. Cloud services cost money based on performance and utilization, which means that systems using more CPU and memory cost more. It’s no secret that most endpoint security tools do impart at least some overhead on systems. Is this factored into the costing equation for cloud implementation? In many cases, the business is not factoring this in up-front, and is surprised when security argues that more money is needed to operate those systems, with some protection, in Amazon AWS or Microsoft Azure.
“Nobody ever got fired for buying IBM.” While this may have been true at one point (and likely isn’t today), the idea is what holds. The most common question I am asked as a security consultant is “What are others in the <vertical> space doing?” My response is usually a bit sarcastic - “Who cares!?”
Folks, most security organizations aren’t doing that great a job. Following the herd may make sense in some places, but you’re much better off really evaluating where your business is, where it’s going technologically, and what tools will get you there more effectively in the long run.
There are a lot of “band aid” solutions being applied today. I see people deploying sophisticated malware sandboxes and forensic tools, with a skeleton staff that couldn’t keep up with the previous security operations in the environment. I see organizations sticking with their endpoint vendors when 95% virtualized, even though said vendors have an incredibly sub-optimal solution for highly converged infrastructure…because change is scary, and no one needs more stress in their lives.
All this said, who’s doing it RIGHT? What are the key trends and tactics of the rare CISO and security teams that have truly melded with the business, and can provide tangible returns on their investments and activities? No, this isn’t yet another attempt at “Security ROI”. The answer lies within business value; a true partnership where security brings something real to the table, sells it, and becomes a trusted aspect of the organization’s operating model. We’ll be exploring this idea, with case studies and examples, in coming posts and content.
tags
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book "Virtualization Security: Protecting Virtualized Environments", as well as the coauthor of "Hands-On Information Security" from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
View all postsDon’t miss out on exclusive content and exciting announcements!