“Progress is impossible without change, and those who cannot change their minds cannot change anything.” – George Bernard Shaw
Although George Bernard Shaw died nearly 70 years ago, well before the security industry developed, his words encapsulate the evolution of security from hardware and point products, to an approach that relies increasingly on security DevOps.
Let’s take the first part of the quote: progress is impossible without change. The IT security industry has changed tremendously over the last twenty years. New vendors enter the market all the time with solutions designed to better protect organizations from the latest threats. There are hundreds of security vendors out there, not to mention open source tools as well.
Today, security teams face a highly fragmented market – picking and choosing tools from various vendors. The best of breed approach has ruled the day and now many organizations have a patchwork of product platforms from various security companies. According to Cisco’s 2018 Security Capabilities Benchmark Study (PDF), 46 percent of security professionals said they used products from 11 or more vendors, up from 28 percent the prior year. The security industry continues to advance as business models shift, the attack surface expands, and threats evolve. But to gain the full benefit of this progress we have needed to change our mindset.
Which brings us to the second half of the quote: those who cannot change their minds cannot change anything. Gone are the days when you can simply put various pieces of hardware in place and think you’re protected. Unless these disparate solutions talk to each other, legitimate threats slip through the cracks. To close this gap, enterprises are now re-thinking the way they purchase and deploy security technologies. Research from ESG finds that 62 percent of security professionals surveyed are actively consolidating their cybersecurity vendors and 82 percent are using an architectural approach to guide this consolidation – integrating multiple individual products and platforms. This is where an increased demand for security DevOps comes in.
Security vendors today make APIs available so that someone else – the customer or a third-party – can write software to access the APIs and tie solutions together. Many vendors are going a step further and adopting an API-first strategy, meaning their own user interfaces and administration consoles talk to the APIs. Others can use those same APIs to aggregate data into a single, easy to read pane which can save a tremendous amount of time and improve security operations.
A focus on security DevOps is also enabling software-defined networking and software-defined access so that enterprises can respond quickly to changing business requirements and enhance security. The solutions centralize configuration and management and use automation to deploy and secure applications and user access faster, with the right policies for users or devices to any application, across the network.
Using software to bridge gaps between different technologies and tools provides end-to-end visibility and control and reduces complexity. This allows security teams to detect, contain and remediate threats more efficiently because you have greater context. It’s not that different from how law enforcement investigates a crime. They look for evidence at the scene of the crime. But if they have access to other information, like video cameras in the vicinity and ballistics, they may be able to gather other valuable evidence for a more complete picture of what happened. Greater context drives efficiency and effectiveness of the investigation.
What does the increasing reliance on security DevOps mean for security professionals? Organizations need to step back and make sure they have the right people on the team. Different teams within security operations use different tools. Bringing these tools together into an enterprise security architecture requires representatives from each of these teams working together to develop and execute a roadmap.
Integration is also creating a shift in the skills security teams require. Teams now need software engineers who understand security or security engineers who can code. This combination of skills can be extremely difficult to find, particularly when we already have a dearth of cybersecurity talent. Most software engineers aren’t steeped in security; they are experts at writing code. But without understanding how it will be deployed, in what types of environments, and the tools, techniques, and procedures (TTPs) of threat actors, they may not create an optimized solution. Similarly, security engineers are experts at planning and carrying out security measures. They don’t typically have knowledge of programming languages like Python and Java used to consume APIs.
Whether you work with in-house security resources or outside consultants, you must make sure you involve the right people with the right skill sets from the start, so you can capitalize on the value of security DevOps to your security architecture. By shifting our mindset we can change, and take advantage of the exciting progress that’s happening in security.