Why integration is key to effective security change
Fri 29 Sep 2017
Earlier this week I wrote about how an evolution, built on the shoulders of the brightest and the best in the DevOps community, has overtaken the capabilities of established security practices.
The piece got a lot of attention, and my already busy diary now has requests for me to come and speak at conferences about the topic as if this is a new call to arms.
Last April, I pointed out almost the same issue that was emerging in large accounts across the fintech arena in London and New York, where my concern was large enough to flag to risk owners and CISO-level staffers as a failure of big four consultancies brought into audit platforms. I have since been saying exactly the same thing with examples of how we need to change and enable.
Needless to say, most security folk disagree with my state of the nation.
The current operational security capability resembles a Venn diagram, but with little common overlap towards getting integrated security
However, companies such as Google have listened and are working to change their operations security processes, as has the largest bank in Holland. Now the penny has started dropping as companies, ranging from one of the largest engineering companies in the U.S. to mainstream banks, are all realising this is a gap that has been allowed to emerge unchallenged.
Too often in security columns, there is a tendency to make an impact by calling out security professionals or companies. We all live in a common ecosystem. Recently, after leaving Red Hat in the U.S., I spent some time with Gartner as the CTO of its Security and Risk practice. However, I’d also been talking to a company since early 2017 in the UK, called Falanx, which nobody had heard of. The company had a technology that was akin to what I had done with SmoothWall in the security industry nearly twenty years ago in terms of its disruptive innovation towards solving this problem.
I am now able to actually do something to create an adequate solution for the growing security ecosystem with the right tools to start fixing a lot of these issues on the fly.
As we continue to evolve across every vertical in industry, change has to happen. The current operational security capability resembles a Venn diagram, but with little common overlap towards getting integrated security to provide assurance, protection and remediation. This is why Equifax and now Deloitte, major brands, have failed to deliver joined-up security.
Security professionals can point out that for every one successful attack or breach there are hundreds of attacks that were logged and mitigated against using governance and tools to achieve KPIs and protect infrastructure. That data does not paint an accurate picture.
It is not the articulate hacks at the codebase level that we are seeing breach privileged resources or sensitive attractive hosts. It is the small off-radar attacks that target architecture weaknesses or vulnerable outdated daemons or services, discovering badly written APIs or authentication and age-old man-in-the-middle attacks that are becoming the most prevalent.
Phishing and denial of service attacks are the factory-created toolsets of the mass market attacker where your expensive endpoint technology, which eats your capex and opex budgets, paints a false picture of safety.
My job is to write the stories here clearly and in a manner that causes you to go away and enable conversations and processes that affect change. A good security journalist makes you think on your commute home and cajoles you gently towards being an educator or enabler.
Make The Stack part of your regular reading for effective security change and let’s see what we can do together to promote effective security posture and education.