Its time for a change in infosec. If you have been in this business 5 or 10 years you have spent countless hours trying to get people to care about security. Now? Not so much.
There was, until recently, a common passive-aggressive game called "My VP beats your VP" where security and developers and ops would meet on a project. The security team presents requirements, dev and ops nod. But there was not much intent to follow through, then when deadlines could not be met or pen tests fail hard decisions to be made. The rank and file security, dev and ops people all escalate to their respective VPs, inevitably the dev and ops VPs crush the security VP, project goes live and rinse, repeat.
Now? Not so much. The same game is still played of course, but the ending is often very different. The security VPs win, quite a lot actually. There is something about a subject that is written about in the Wall St Journal every.single.day. that gets C level and board attention. A new phenomenon, and we are still feeling our way through what it means.
Security teams need to pivot and do so quickly. Its not a game of try like hell to get approved to do something and succeed 2 of 10 times. Now its more like anything that sounds reasonable will get funded. I do not know how you even have time to read this blog, people are so busy, teams working flat out, and consulting benches empty.
The awareness is there, but that is only the very beginning, really now the hard work of fixing things begins. As stressed out as everyone in the industry is, for the most part we have not even begun the real work. Security teams hear yes way more than no, but that is the beginning. The problems must be solved and businesses do not care about why they got there. Now the problem is what are you going to do about fixing it? How quickly, what order, how much will it cost, and what else is impacted by it? These are now the fundamental questions. We need to be ready to go with answers, not just "If only we had this tool or that tool."
The ripple effects are just starting, here are some areas where the old ways of security no longer work.
It starts with asking for smart things. Your security policy is very likely near useless here, and compliance-only driven initiatives are too narrow. Think architecture centric not audit centric. Audits have to be addressed, but architecture is the way to win over the medium-long haul.
Plan and design around simplicity and scale. Don't look for all singing, all dancing products, instead find things that can be managed and that scale out. Your security team is a single digit percent of dev and ops, scaling matters in every single security design decision.
Decentralize. Due to limited funding historically, security teams typically centralized the things it wanted to accomplish. Makes sense with limited mandates and resources, but that's not the way it is any longer. Centralizing everything means you will not scale, security teams have to get good at letting other people do the work. Function in large part in an advisory role. Reagan and the CIA In the cold war come to mind. Instead of fighting a hot war all over the globe, send out advisors and train and arm the rebels. That is way cheaper, gives you better coverage and scale. We cannot implement everything inside of infosec, we need other teams to help, Dev, QA, Ops, those teams in turn need training and tools to be effective. (Don't like Reagan/CIA example? Fine. Try Charlemagne)
Don't worry about products and marketecture, instead always seek to answer the question - who does this? Security solutions that do not have owners are not solutions.
Do less and do it better. Five Guys does this and you should too. Take a look at your security policy. How much of what is in there is even remotely possible? How much is CYA boiler plate? I would say its about 10%/90%. Waving your hands and saying "hey, you, stupid go do "least privilege"" that is not helpful in the least. I'd like to say scrap the whole security policy and start over, but that's not going to happen. Instead, write a real checklist and build a real process around it. The checklist should only contain capabilities that an average developer or ops person can design, develop, deploy, or operate today. If it does not exist in that form and its an important capability, then it is on architects to find one that can and/or its on engineering teams to get the system production ready.
Integration is the key. SImple design make it easier to integrate. Integration is required to scale. The basics of security are not that different from 10 or 20 years ago. Authentication, authorization, key management, these go back a long way. Where we need to get way better is on the integration side, getting breadth and depth of the capabilities we already have.
This is no time to play small ball and do the old "well over in my security dept things are fine I do not know what those other departments are doing." That stuff never worked as anything other than cya, and sure as hell doesn't work now. There is a tremendous amount of catch up to play here, its not "hey I got funded back to the isolation chamber", nope the real work is starting now, it will be measured on coverage and efficacy not computer history lessons, that work can't start any sooner than right now. Its end of the beginning for infosec.
Agreed with all of this. I would actually take it further and say what I am working on is to not have a security team at all, just more educated users who incorporate security processes into each of their roles. There aren't many success stories with a centralized model, so I thought trying something different - when I wasn't going to get funding for what was required in the first place - was the way to go.
Posted by: LukeDonoho | February 10, 2015 at 08:22 AM
Great article, enjoyed reading it. One comment to add. Almost feels like the security dog didn't catch the car as much as the car slammed on the breaks and backed into the dog. Business now sees the necessity and importance of security as an enabler to their changing business. For us it certainly felt like they realized they needed security dog for their road trip and now we are tied to the roof.
Posted by: CGinMN | February 10, 2015 at 04:09 PM