As a chief information security officer (CISO), how do you build a cybersecurity practice that supports the digital transformation efforts of a company?
Before founding what is now my current company nearly four years ago, I spent most of my career in a practitioner’s chair as chief technology and security officer with a financial group and earlier as VP of corporate audit at an investment banking company. While these are stories for another day, my experiences there are what drove me to establish this company and to make the push toward risk-based vulnerability orchestration across applications and infrastructure. This shift in perspective means finding more effective ways to integrate security tools into the existing digital environment without impacting the speed of business.
It is important to remember that every company today, regardless of its model, is a software company. From surgical robotics to autonomous vehicles to beer distributors, all businesses are focused on bringing better products to the market at a faster rate, which translates into the need for a more robust software development life cycle (SDLC). And because the software these companies bring to market must support their business objective of maintaining ongoing customer and partner trust, the role of security is always in play. In this way, the digital transformation of any organization relies heavily on its cybersecurity practices, a process based on three basic pillars:
1. Modernizing The Software Development Stack. Because these bundles of software are what comprise the back end — from the operating system to programming frameworks — and provide a layer for compatibility, they remain a critical piece of the digital transformation process.
2. Moving To Microservices. An effective application programming interface (API) strategy involves improving the speed and quality of software development, which typically runs in a single process. By breaking them into smaller “micro” parts with independent functions, it becomes easier to implement and manage security.
3. Using The Cloud. Finding an effective cloud strategy that merges traditional environments with the latest technologies is key to building resilient and security-rich solutions for business.
In the past, I have met with a number of CISOs to discuss strengthening cybersecurity across the SDLC, a conversation that inevitably brings up the subject of digital transformation and how it can be facilitated through proper support. Regardless of industry, these executive leaders tend to share three significant concerns:
1. Achieving Visibility Across The Enterprise. Even though application security (AppSec) teams share a tight connection with security operations (SecOps) and vice versa, there is still a disconnect between the two. CISOs are continually trying to tackle this issue and gain a more holistic view of what’s happening in their environment. And with so many silos functioning at once, this can feel almost impossible.
2. Driving Security In A World Of Continuous Delivery. To keep companies competitive in today’s digital market, IT teams are driven to deliver applications and capabilities at a breakneck pace. Realistically achieving this goal, while also ensuring effective security, is hampered by fragmented tools and processes.
3. Aligning Security With Business Priorities. As companies move through the process of digital transformation, certain critical systems and services will remain at the forefront of the challenge. Finding ways to align with these priorities while also maintaining effective security practices is no easy feat.
When it comes to battling these concerns, there is no silver bullet for success. If there were, you wouldn’t be reading this article. That said, there are several places CISOs can look when trying to support the digital transformation initiatives of a company, all of which share a common thread.
Understanding is the starting point for CISOs. It is impossible to align risk with business if you don’t recognize what systems, applications and services are most critical to the organization
Strategizing comes from a clear understanding of a company’s current pipeline and processes, as well as the desired future state. As part of this, an assessment should be completed to determine:
- Capture KPIs: CISOs need to be familiar with their infrastructure and how these assets tie back to the business. Which ones are critical to a business line and must be closely watched to identify risk? Is there an acceptable level of risk involved? Immediately aligning with the business on these questions will allow for more focus time and future attention.
- Existing Scanning Tools: It is important to take inventory of both open source and commercial tools, including those used for static and dynamic code scans, composition analysis, pen testing and assessments of container and vulnerability management. This process will help CISOs better understand where visibility is clear, somewhat opaque or missing altogether — and how it can serve as a roadmap for teams.
Testing and learning never end. Using open-source scanning tools offers a clearer view into what security gaps exist between priority assets and existing tools when looking for vulnerabilities and risk across the SDLC pipeline, while also checking the efficacy of current scan tools. Can open-source close some of these gaps?
While it’s true digital transformation relies heavily on the modernization of certain cybersecurity practices, we should also never forget the need for human intervention. From managing workflows to drawing insight across the organization, people are the driving force behind the systems and infrastructure that underpin business today. And as leaders in information security, CISOs must continually work to ensure that force heads in all the right directions.