We’ve listened to the pain points of CISOs around the country, many of whom say managing an effective application security program often feels like trying to survive in the Wild West. It’s a great metaphor. You’ve got cowboys and gunslingers and outlaws. There are open frontiers and endless opportunities for pioneers. But instead of dodging bullets, CISOs are now facing modern challenges like championing cybersecurity efforts, unifying DevOps with security, managing the security of complex IT infrastructures and complying with stringent regulatory requirements.
At ZeroNorth, we have answers and insight to address these concerns. In our first installment of a six-part series, we will address CISOs who are looking to not only survive the untamed world of application security but to prevail in the fight for digital transformation. Follow us as we venture through the modern terrain of vulnerability management and find out what it takes to live securely in this new cyber landscape.
The New Landscape
Much like the role of an old town sheriff, we know the duties of a CISO have changed considerably since the position first emerged—and so have the challenges. Technical tasks have transitioned into enterprise initiatives, and the focus has expanded from regulatory compliance to risk management. Think back to 1994, when Citicorp was hacked, forcing it to recognize that security is actually a business issue, not a technology challenge. As a result, CitiCorp created a new position, making Steve Katz the first person to wear the CISO badge. Many folks soon followed in his footsteps, and the role has since evolved.
Today, with digital transformation accelerating development cycles, a growing number of CISOs now count ensuring secure software development as one of their top priorities. And there are significant business reasons for this shift in thinking. Higher quality software drives higher productivity and lowers the total cost of ownership (TCO) of an organization’s vulnerability management program—but only if the software is secure. As a vital part of the ROI calculation, your TCO includes the sum of all direct and indirect costs associated with a vulnerability management program. Once this calculation is clear, CISOs are in a prime position to orient security in the name of software quality and enable secure DevOps, the new sheriff in town.
Part of this “orientation” involves finding ways to integrate security into the DevOps process, to establish a culture of consistent, continuous vulnerability identification and remediation. The creation of a DevSecOps culture sets the tone for new thinking about when security should be implemented and creates strategic alignment among teams. CISOs are now recognizing the critical need to integrate security testing earlier in the software development lifecycle (SDLC) to mitigate risk. This readiness to take on risk with confidence, along with various digital gunslingers, is what’s needed to get the job done.
According to DevSecOps.org, a community of industry practitioners dedicated to the science of how to incorporate security into development and operations, there are some guiding principles to consider when shaping your DevSecOps culture and practice.
- Customer-focused mindset: Security aims to keep assets safe. Businesses need to take on an acceptable level of risk to increase revenue. There’s tension in those hills. You need to tailor your security programs to customer needs and business goals by aligning business and security strategies. And by making the necessary security controls easier to understand, you demonstrate how security can be organizationally agnostic.
- Scale, scale, scale: Security can’t be considered an obstacle. It must be able to keep up with the pace of innovation. To properly scale security, you must decrease manual processes by embracing SDLC automation and continuous scanning. This results in faster remediation and better overall application security.
- Objective criteria: The organization must be able to make fast decisions based on security information. To do this effectively, CISOs need objective criteria to guide how, when and in what order to focus on security issues. Creating a security scorecard provides critical direction for making this happen.
- Proactive hunting: It’s not enough to build a good, reactive incident response process. You want to identify vulnerabilities before they become attack targets. You need to integrate internal, proactive security testing—along with immediate, actionable remediation guidance—into the development process.
- Continuous detection and remediation: Continuous integration and continuous delivery require continuous detection and remediation. This requires automation and real-time data for ongoing monitoring and analysis across the entire SDLC. A complete feedback loop is also key to harness the information for decision-making and forecasting of defensive controls to support business outcomes.
Ride for the Brand
To a cowboy in the Old West, “riding for the brand” meant signing on to the mission and goals of the ranch owner. The rider was viewed as a team player dedicated to protecting the brand—the mark on livestock identifying the owner—as though it were his own. It was the rancher’s version of strategic alignment. So how does a CISO create a ride-for-the-brand culture and practice?
First, you must determine who is actually responsible for security across the SDLC within your organization. There’s an argument for developers, the ones creating the code, to own security. There’s another argument for security experts to take ownership of. They’re both right. Application security must be a coordinated collaboration among the Dev, the Sec and the Ops parts of the program. And it needs to span not just the entire SDLC, but the entire organization.
Security can be a hurdle, or it can be a competitive advantage. You must also figure out how to insert maximum security controls with minimal disruption to developers. Convincing development teams to write secure code isn’t difficult. They want to do it, they just need to right tools. For example, instead of giving them secure code standards, provide them with instrumentation to identify and fix defects. Once this is complete, it’s off to production. Reports will be based on facts and KPIs embedded in the governance platform. This means over time, quality will improve. And when you position this effort as owning quality, rather than just security, it’s even easier.
Finally, you have to keep your security posture up to date as your company, and external threats, evolves. You need continuous visibility into your security, to enable you to review your information security policies regularly. Any shifts will require you to maintain strong security leadership through proactively introducing new controls and providing appropriate training for employees.
DevSecOps Tames the Wild West
The journey to DevSecOps isn’t easy. But throughout this blog series, we will explore topics necessary to make this goal a reality. And it can be a reality when CISOs face the challenges ahead by taking thoughtful steps towards a stronger security posture. This is where progress on the terrain of application security can be found. Integrate security immediately and start promoting an inclusive culture that spans the organization.