Too many organizations have historically opted for speed at the expense of protecting their data and systems. It’s not an either-or decision. It’s time to start asking, “How do we actually implement both?”
Continued education about balanced development — the notion speed and risk can be addressed simultaneously — is key. Many organizations have started down this path, but they’re at varying levels of maturity. However, guidance is always helpful, no matter an organization’s stage of development.
Security spending isn’t paying off
When developing an operating model, organizations naturally focus on their business needs and how technology can meet those needs — not security. Today’s cloud-based digital environment, rife with mobile applications, has forced organizations to focus on speed and producing new capabilities — again, not security.
Many organizations use DevOps software development and a continuous integration/continuous delivery pipeline. These tools spin out new services quickly — but with little regard for security.
As a result, C-level business leaders face a disconnect between their security priorities and the results of their program. Executives are willing to spend money on security, but reports come back to them demonstrating technical merits rather than verifiable mitigation of business risks. Key questions around an organization’s risk involve its resiliency and ability to minimize costs surrounding breaches and insurance. Many of these questions often go unanswered.
A growing threat
The increase in cyber attacks, which are becoming more sophisticated and damaging, continues to reinforce this disconnect. Attacks against SolarWinds, Colonial Pipeline and JBS exploited security gaps to target data and critical industries.
Business leaders are aware of the importance of security and risk management — often a regular boardroom topic. Yet, evidence still shows security isn’t truly integrated across organizations.
We know what we need to do; we just don’t know how to do it. A clear operating model for balancing speed and security is missing within the industry.
Organizations are scrambling to try and accomplish this challenge, but many find themselves working in the dark. Thankfully, industry groups are showing organizations how to incorporate security within a digital operating model.
Bringing balance to development
Security has traditionally been viewed as a technical activity. It has since evolved into a fundamental business activity. As a result, a gap has developed between DevOps teams and business security needs. Attackers focusing on business-critical data in recent high-profile breaches underscore this point.
Security in the development process must start at the top and involve all stakeholders within business and security realms. A security reference architecture will help companies assess risk by identifying their risk tolerance, highlighting gaps and revealing what needs to be done from an investment standpoint.
In broad terms, an operating model shows how a system will work from a process and integration standpoint. A reference architecture reveals the specific items that need to be considered from a competency and capability perspective. By aligning the operating model and reference architecture, stakeholders can work together to truly integrate security into business operations.
Collaboration is key
Groups and businesses are sharing information on reference architectures across the industry. Microsoft, for example, shares reference architecture use cases ranging from zero trust to cross-platform capabilities. The Industrial Internet Consortium supports projects such as a common reference architecture for IoT. The DevOps Bookmarks site also offers a host of reference implementation tools.
No single organization can do this work on its own. For now, standards groups and consortia are working tirelessly to educate and inform organizations. The future of a balanced cybersecurity model depends on collaboration between DevOps and security teams.
About the author
Altaz Valani is the director of insights research at Security Compass. Before his current position, Valani was senior research director and executive advisor at Info-Tech Research Group, providing advice on application development, application rationalization, Agile, cloud, mobile and the software development lifecycle. Valani is currently vice chair of The Open Group Security Forum, is a member of the SAFECode Technical Leadership Council and sits in industry working groups at IEEE, Cloud Security Alliance, OASIS and Object Management Group.