Security Experts:

My Friends, it’s True. The Times, They Are A’changin.’

If you’ve ever heard that Bob Dylan song, you’ll know what I’m talking about. As the music legend serenades you with his unique voice, you start to realize that what he’s really saying is that nothing stays the same. The things of yesterday are not the things of tomorrow. 

Who knew Bob Dylan would herald the regular transformation cycles that is information technology? 

I love that song. And it tells me if I listen carefully and apply the lessons to my work-life, I will discover the following:

It’s time to wake up! The world around us is changing on a regular basis. Right now the types of technologies that we’re just starting to understand are already becoming outdated. Every year that passes, the pace of change accelerates. It’s like gravity—you accelerate at an increasing rate—except I don’t feel we have a terminal velocity yet in technology. We just keep going faster. What’s critical in this is self-realization. Security professionals need to realize that we can’t rely on knowledge, process and tooling that was top of class a year ago because it’s most likely no longer even relevant. Acknowledge that security needs to continuously evolve with business, technology and adversaries. Start swimming, or you’ll sink like a stone.

Opportunity knocks daily. It feels like every week, sometimes every day, we security professionals have an opportunity to influence the next big technology revolution. I think it’s safe to say that we’ve pretty much missed most of them, so far. We pontificate, belittle and ask, “Why would you do that?” But change happens. When the world started going mobile, we were busy trying to keep them tethered to their desks with dependence on yesterday’s security paradigms. While we were telling IT leaders to backhaul all their web traffic through a central office, users were sitting at Starbucks using Dropbox and Salesforce, and completely ignoring security’s outdated mandates. Keep your eyes open—the chance won’t come again.

We must lead, follow or get out of the way. Many in security today still try to maintain they work for the department of “No.” Maybe you do, and maybe you can exert your power in some short-term way over a limited piece of your organization. But I promise you this: playing the “no” game is a losing proposition. I suggest you lead—meaning, get involved early and provide valuable guiding input. The alternative is following, which we’re all doing today and every day. Catching up to things that have already been released (Internet of Things, cloud, etc.) is hard, and the security value is always a delivery of compromise. The last and perhaps last-chance option is to simply let it all go and try to catch it as it falls—before it all goes catastrophic. There are plenty of organizations that operate this way. I don’t advise it, but it’s definitely one way of doing things. I think the net is you have to pick and then accept the consequences. He who gets hurt will be he who has stalled.

It’s time for a stack rebuild. We’ve been dependent on a legacy technology stack in security for 20+ years. Perimeter security, on-the-wire intrusion detection and prevention, endpoint security, local identity directory and a million passwords. That stack is rapidly becoming decrepit and a hindrance to business. What does the next stack look like? I think a large hint to the future lies in the cloud. Cloud-native applications and services are inherently build with elasticity, scale, and resilience. Security should match these qualities breath for breath. I think the stack of tomorrow’s security future has to address the cloud head-on and be born in it. Identity, workload, applications, data—these are the relevant components that security will need to build the security stack around. The exact delivery is still a bit nebulous, but I suspect the future is rapidly coming. Now is the time to think about modernizing your enterprise security stack. The alternative is a complete loss of visibility and unquantified risk. Your old road is rapidly aging.

Who knew Bob Dylan was such a genius, other than his family and fans of course. The future is quickly approaching, and you can choose to deny it, but it doesn’t care. The future doesn’t need your permission, because the times they are a’changin.’

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.