I often open a keynote presentation by noting that organizations are undergoing a fundamental shift in security strategy – moving from compliance focused, to a risk based approach. That’s still ongoing, even for large and sophisticated organizations there is still a gravity towards ‘doing it for the audit’, rather than ‘doing it because there’s risk’. Yet there’s another transformation on the horizon that most businesses are ill-prepared to address: we’re headed towards an era of pervasive security.
Compliance provides a floor for a security program – it’s the basic minimum that needs to be in place to pass an audit, but it does not mean that you’re secure. Nearly every large breach in the past few years was compliant and had passed audits. Yet they all were breached. That realization is one reason that most security programs have been moving towards business risk – to provide a more effective security program that reflect the real-world threats facing them.
Now that sounds great, and it accurately reflects reality; after all, we can’t secure everything. Limited resources – people, money, time, technology – mean that we have to prioritize and focus our efforts on those portions of the program with the greatest return. And the bad guys know it.
That’s the fundamental difference between security incidents and IT failures or natural disasters. Often parallels are drawn between those, and programs and plans are drawn up based on system outages or tornados. That’s fine to a point, but we have active adversaries working against us – attacking our systems, looking for weak points to gain a foothold. One CISO recently said that what keeps him up at night are the low-risk systems. Because there’s little security around them, and they talk to his high risk systems.
That’s why we need to enter the era of pervasive security. The good news is that pervasive security, for most organizations today, begins with basic blocking and tackling. Patching systems, scanning for vulnerabilities, threat feeds, encryption, securing identities – especially privileged users, and having good visibility into what’s happening on systems and across the network all contribute to building that platform. But there’s the largest challenge of all, and ironically it’s IT and product development. We’re continuing to build insecure products and systems.
It needs to be a mindset baked into our DevOps workflow (DevSecOps!). Engineers, developers, business analysts, UI designers, DBA’s, all need to have a secure thinking mindset – thinking about how things break isn’t enough. The whole organization needs to think about how things can be broken. Pervasive security by design – hardening systems against attack, making them resilient when they are attacked, and recoverable when they are compromised will require a fundamental shift in how we build and deploy systems – and funding to go along with it. That’s not an easy shift, and will take both willpower and investment from the CEO and board level down.
Compliance isn’t going away – especially if there is a breach, not being compliant is brand-damaging (even if it wasn’t related to the breach itself). Risk focus won’t either – it’ll help us prioritize where we deploy resources, and will continue to be the language as we communicate with business stakeholders and the board. But those conversations will change; pervasive security will be the new normal for successful businesses in the next decade.