How Security Can Lead in Cloud-Dependent Business Innovation

My Post - 2019-10-10T183240.747.pngOrganizations that have a security-first mindset are better prepared and better able to respond to security threats

In the mid-to-late 1970s, the PC represented a major shift in the technological balance of power. It allowed small businesses to analyze business data without the need for a mainframe infrastructure, and use those insights to compete with larger businesses that were burdened with a higher cost structure and limited ability to be agile.

Fast-forward to the present day and the dynamics are similar. Except instead of the PC, it is the cloud that is the great technology equalizer. Democratizing fast, rapid-scaling compute power allows any startup to create world-changing innovations with fewer resources and in far less time. But these services are not just for startups; organizations of all sizes are consuming cloud services to capitalize on the promises of speed to innovation, getting closer to customers and creating valuable insights that can translate into competitive advantage. Conversely, these services also allow the competition to respond faster and reduce the time gap of advantage to commodity.

In our last piece, we discussed how shadow IT remains a threat to businesses that are facing the competitive pressures of speed and innovation, and are enabled by the very easy provisioning of powerful cloud services to help. In this piece, we’ll explore how security leaders can not only win in this seemingly impossible environment but also thrive as critical partners in executing a successful modern business.

Realistically, most companies are now technology companies. Think about shoe manufacturers selling personalized shoes over the web, fashion boxes crafted monthly based on a few stated preferences, networked medical devices, camera-enabled doorbells, smart refrigerators and even internet-connected exercise bikes. All of these things generate value for customers but depend on increasingly complex technologies, a web of service providers and the collection and use of massive amounts of data. In this environment, gone are the days that security teams only had to monitor the single database storing cardholder data. They are now responsible for an entire value chain that may or may not be completely in their direct care. This new reality mandates that security leaders take a different approach.

Those That Lead the Way Write the Rules

It wasn’t long ago that information security as a profession was so small and with so little influence that most major companies didn’t even have anyone with that skill set on staff, despite massive technology advancement and investment. But as CIOs wielded their influence, the best of them figured out that being an agent of company innovation was the best path for both organizational and career success. With that influence came the ability to define how technology would be implemented and, in some cases, how security would play its limited part.

As a seasoned security consultant, what I now advocate for is that security executives who want to win step up to lead the organization in achieving its goals. Instead of playing from the side or the back writing governance rules and blocking innovations, lead from the front. That means proactively creating the plans for migration to the cloud, implementing DevOps and getting innovative technologies to the market, while simultaneously creating the guardrails to ensure good process, good governance and operational excellence—that all contribute to good security. When Security leads, both Security and the business can win.

What does leading the way look like? Here are a few suggestions to help along the journey:

Setting Standards

Cloud architectures, design thinking and DevOps have taken innovation cycles from years to weeks, sometimes even to days. But cyber teams have been known to feel a bit uncomfortable with new architectures that can threaten the status quo and, conceptually at least, increase risk. Since Security can lead the organization to do this in a safe way, such initiatives need not be seen as threats.

Just one example can be found in creating formal written security standards for cloud services, but in a way that makes these services accessible to the business. Nowadays, it’s common for teams to use what are known as security scripts to build new virtual servers when extra computing capacity is needed. Building scripts to pre-determined, pre-hardened standards means new virtual servers can be stood up and available for use both swiftly and safely, even dynamically in response to varying processing loads.

In the DevOps model, the development team becomes the first line of defense; the Security team must enable them by teaching secure development techniques and practices that tie back to corporate requirements. That’s attained by enabling developers to work in a continuous deployment environment, but with the know-how of secure development practices and the guardrails of built in-code analysis tools that look for vulnerabilities. Additionally, building compliance into software design really helps to create the kind of environment that security leaders have long wanted. In the process, developers and even product leaders can become an extension of the security team. It’s a win-win. – Read more