Every industry is undergoing major transformational changes. Organizations are being forced to adapt and learn to respond to market forces faster or risk being left behind. Some refer to this situation as ‘hyper-competition’, others see it as a natural evolution of a global digital economy.
Key to this change is the compression of development cycle times. Just as Amazon.com has disrupted the retail industry with a previously unprecedented level of speed and convenience, IT organizations are being pressured to deliver more services faster and cheaper. Executive leaders who push back or resist this change often find themselves being replaced.
The major driver to this evolution is the ability to ‘fail fast’ and re-adjust as needed. If you can significantly reduce the cost of failures, you can afford to experiment more. This rapid rate of experimentation includes testing new ideas and/or copying competitors quicker to help build enterprise value. Speed and agility itself becomes a natural survival trait in the new global economy.
The software world specifically has made significant contributions to iterative development practices, allowing for a rethinking on how Product or Service life cycles should be managed.
Concept such as: Minimally Viable Products, Agile Project Management, Everything as a Service, Infrastructure as Code, Version Control Management & dozens of other DevOps concepts are seeping into every aspect of running a modern organization - including Security.
Avoid being a blocker
Unfortunately, security teams are often seen as the biggest blockers to change enablement within an organization. Many security professionals are ‘highly allergic’ to the concept of rapid non-stop experimentation, potential introduction of new security failures/attack vectors and accepting the risk that is inherent in experimentation. This causes significant friction between product and service owners and security teams tasked with protecting an organization’s resources, data and reputation. Many unintended consequences result from this friction, which rarely benefit anyone.
The key message for security teams is to remember that your role is to (based on NIST 800-53 CM-6): Implement the most restrictive mode of an information system consistent with operational requirements that meet business objectives.
The key takeaway from this is that an organization’s security posture must align with business objectives. Not the other way around. Security teams don’t get to adjust their company’s business objectives because it’s easier on them.
They need to extend their skills to embrace new technologies, new approaches and the new processes that aid with their role of securing a global digital organization. Leaders should ensure that security teams are involved early on and are viewed as important stakeholders in the organization’s entire products or service lifecycle process. The idea is for security to be “baked in” from the ground up, not “bolted on” as an afterthought.
A key approach to getting security teams to move faster is to embrace DevOps automation practices (merging development practices into operations). Some refer to this as DevSecOps, where security solutions are fully integrated and automated into the final product. This involves a front end investment, but quickly pays for itself in standardized secure Infrastructure as Code automations that can spin up and down repeatedly.
Many of the most sensitive and secure organizations in the world, from banking to telecom to healthcare to government are successfully transforming their organization, embracing new technologies and new processes in order to meet their organizational evolving business needs. Specifically, these organizations are well on their way as part of the “early majority” within the Technology Adoption Curve, embracing Cloud Platforms, DevOps, Infrastructure as Code as well as adopting Agile methodologies. We are way past the innovators and “early adopters” phase of this trend.
For many, it is a recognition that the organization must evolve and move faster to adopt new proven technologies or risk going extinct. The key is to remember that the technologies themselves may change but the underlying security principles and best practices remain the same. Ask yourself: “how is my organization embracing these trends and is my security team helping enable or hinder these transformation efforts”?