IT security sucks: Here's why (and how to fix it)
By Ash Wilson
The rise of cybercrime across the globe has proven that traditional criminals are finding new ways to attack: Physical access to the goods is no longer required, now the basic requirements are internet connectivity, an intellect capable of operating tools built by someone else, and a pronounced lack of scruples.
While the modern workforce is familiar with buzzwords like cyber crime and black hat, only 38 percent of organizations surveyed for ISACA's "2015 Global Cybersecurity Status Report" claimed they were prepared to defend against cyber crime attacks. That isn't to say that there hasn't been effort made to combat the issue: global spending to combat cybercrime reached $80 billion in 2016.
If awareness of the issue is common and spending is allocated to address the problem directly, why does IT Security still -- put simply -- suck? Three primary reasons must be acknowledged before awareness and dollars are put to good use:
IT Security is a high-friction environment full of parts that need to be able to move faster.
Rapid development in IT workflows and process have created tension between tools and targets. Today, organizations are utilizing DevOps methods with automated toolchains to enable agile development teams to produce code quickly and efficiently, several times a day. This hasn't always been the case. As little as ten years ago, the standard workflow was called the "waterfall" process. It could take a year for an idea to flow from planning, to development, testing, and then deployment.
Speed isn't the only thing that has changed. The lifespan of a server (workload in modern parlance) has gone from years to days or even hours and minutes. While this might all sound well and efficient, Traditional security tools - both network-based tools and host-based tools - can't handle the current pace of change. The tools being utilized require too much manual configuration and track assets based on less pertinent attributes such as physical location, network zone and IP address.
IT Security is currently stuck trying to protect rapidly-evolving applications with unbearably inflexible tools.
Don't add security as a component of your work, involve it holistically.
In many companies, security is an afterthought that gains more traction after a hit. Unfortunately, the cost of downtime caused by DDoS attacks to an ecommerce business, for example, can average $40,000 per hour.
The rapid development of attack tools and techniques, and the heavy cost of recovery after they go to work on your business means that automated security features should be incorporated from the beginning. The problem isn't your hardworking team and the solution is not faster people, it is better tools to leverage the automated toolchains that enterprise DevOps teams are using to produce and deploy new applications quickly.
C-suite top-down policies hinder success.
If you have a team of four people who aren't able to fully lead the campaign for IT security, a common solution has been to hire a fifth. But what if the five can't handle it? Do you hire a sixth? Sure, throw caution to the wind and spit in the eye of Brooks's Law. Let me know how that works out. With more than 1,000,000 cyber security jobs remaining open according to Forbes, you simply couldn't find enough to people to hire - even if you could afford them. In addition, between the security system add-ons and services and the human-capital involved in taking time to understand the issues as they arise, productivity is taking a major blow. This traditional type of cybersafety has attempted to sidestep the crucial fact: 77% of IT security professionals said that their information security policies and teams are slowing IT down.
Unfortunately, the standards and compliance directives aren't always in the hands of company leaders. Industry and federal regulations like PCI, Sarbanes-Oxley, HIPAA were created and designed to keep sensitive customer data safe, but these can cause headaches for the team that must maintain strict accountability.
The solution isn't to tackle security issues or adjust to new regulations as they arise, but to ensure that security is baked into the application development and deployment and/or DevOps process, rather than bolted on. Automation is key. It's essential that your tools can monitor, detect, and defend your workloads but also be able to expand as your usage does to ensure security from development through delivery. By taking the manual element away from the process, you establish a continuous integration methodology, which allows for speed and consistency of delivery. For example, if a security policy needed to be adjusted, you do it once, thus eliminating inconsistency in the system or unnecessary outages. Automatically filing security-related defects against pre-production code makes your security operations more proactive. If your infrastructure is codified, all's the better- you're able to greatly diminish surprise and reactive security practices for your entire application stack.
IoT presents a world of exploitable opportunities.
How many tools are at your team's disposal? Many business are concerned about cloud services because they feel a loss of control and concerns, specifically regarding security issues, but the rise of IoT tech is offering innovations that may intrigue executives and staff.
One of the pain points involved in this is a sense that there is a lack of standards to provide transferability between service providers, or simply: they resist reliance on a third parties because it makes it harder to bring services back in-house if so desired. While these concerns are valid, the use of these third party integrations, services and tools are vital for success.
When choosing a tool that incorporates IoT, keep security at the forefront of your mind. CSOOnline claims that In 2017, IoT security holes will lead to the destruction of critical infrastructure and increases in competitive intelligence gathering and intellectual property theft. While a robust suite of resources may seem like an immediate and acceptable choice, it's important to note that each additional item provides another opportunity for another situation to arise where you must throw labor at managing a fractured toolset that doesn't play well with others..
To achieve "security on-demand," deploy cloud-based technology to ensure its security posture is never static.