One of the secrets of InfoSec is that while we are spending a lot of resources on security professionals, security technology and compliance activities, in most organizations we’re not actually making an effective impact in reducing successful attacks.
Protecting the wrong things
In Steven Bellovin’s latest book Thinking Security (published late 2015) he writes:
Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong.
I agree with his assessment. Even taken rhetorically without hard numbers, there is hardly a day that passes when a major security breach is not announced in the media. Experientially I know it is true as well, at many organizations the things we spent money on did not reduce the attack surface or add effective prevention mechanisms. Furthering this point, Bellovin writes:
The root of the problem is two-fold: we’re protecting (and spending money on protecting) the wrong things, and we’re hurting productivity in the process.
It is understandable that we are protecting the wrong things to some degree. The industry is a fast-paced landscape of change on both the offensive and defensive side. Its not acceptable, but its understandable. What is not so understandable is the way that InfoSec hinders productivity. This is the most problematic issue in InfoSec today:
InfoSec is hurting productivity in the organization it is supposed to be protecting.
Let’s examine this.
Slowing things down
In Fortune Magazine there was an article (Revving up your Corporate RPMs, Feb 1, 2016) discussing the problem of IT projects taking longer than ever to complete. The article noted that:
the average time to deliver Corporate IT Projects has increased from ~8.5 months to over 10 months in the last 5 years.
What was surprising to me is that the blame for this slowdown was noted to be at least partly (if not wholly) due to InfoSec. The article continues:
the growth of control and risk management functions which is too often poorly coordinated… [Resulting in] a proliferation of new tasks in the areas of compliance, privacy and data protection.
It’s one thing to fail at the job we are hired to do (protect all the things) but its a completely different failure when you make the business worse-off than before you found it.
With the rise of DevOps there is a change in the cadence of delivering software. We now measure in hours and minutes the cycles that used to take weeks or months. This environment necessitates that security goes fast or risks being skipped altogether. This is as much of an organizational alignment problem as a technical problem. Mark Hillick noted this in his tweet last August:
If security slows down the organization, it will be ignored, not embraced
To overcome this, Rugged DevOps which is the integration of the InfoSec and DevOps tribes takes a different approach to security. It hinges on the inclusion of security or as Ryan Huber from Slack’s Security team has said:
…by deputizing every person at Slack as part of our security team, meaning we have hundreds of people constantly on watch. — Ryan Huber, Slack
At Signal Sciences, one of our core beliefs is that we need to enable security to go fast. We need to provide tooling that isn’t made solely for InfoSec, but instead also to provide value to Operations, Security and Development. We add insight and visibility to all those groups and teams. We believe that visibility along with a culture that encourages speed and collaboration is the new way forward. Lets try to protect the right things and speed up the organization.
Thanks for reading. If you enjoyed this article please click the little heart, that would be amazing.
I’m part of the team at Signal Sciences. We are building an industry first Next Generation Web Application Firewall (NGWAF) which was built in response to our frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. Our NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.