Must cybersecurity inhibit innovation?

It’s absolutely true that, more often than not, security is a barrier to getting things done. Whether it’s a forgotten password, waiting for resources to be provisioned, or a risk-based decision that requires a new initiative to be delayed because potential risks are too high without some additional mitigation. However, when approached correctly and with some forethought, it doesn’t have to be this way.

Every business today, of every size, has to learn how to be nimbler than ever. It seems every vertical market is being transformed by digitization. Every day businesses are being disrupted by trade markets expanding globally, new scientific breakthroughs, and new technologies and ways of managing business-technology systems to drive revenue. Just consider the rise of cloud computing, DevOps, and continuous delivery. The pace of change has accelerated to such a velocity now that CIOs and chief digital officers have a hard time maintaining pace. And if they are having a hard time keeping up with the rate of change – how can security practitioners ever expect to do so?

Consider the findings of the Global Trends in the Identity Governance & Access Management study, conducted by the Ponemon Institute (and funded by Micro Focus). While the study is looking at the specific impact of identity and access management, I think the results also speak to cybersecurity broadly. Consider the main findings from the study: 

• 62 percent said they cannot keep up with the rate of change or apply controls that are sufficiently broad to keep information secure. 
• 44 percent believe that the process of granting access is burdensome.
• 64 percent say that customer information is at risk because of poor access controls.
• 47 percent say that there is a risk to employee information as a result of poor access controls.
• 49 percent believe IoT is a significant trend affecting identity and access management.

There’s no doubt that security can, and often does, create a friction in the business and in the deployment of new technologies. And as this study found the need for timely access is essential, and it’s certainly an example of security being a friction – especially when identity isn’t designed and implemented correctly. Most every other form of security control lags behind the accelerated adoption of new technologies, development, and management approaches. Consider how many enterprises have, and continue, to struggle as they attempt to latch legacy security toolsets onto cloud environments, or apply manual testing tools in DevOps teams or continuous delivery pipelines. It just doesn’t work, and in areas where it does work it’s not efficient and slows down cloud adoption needlessly.

The report had a few recommendations for the enterprise, as they apply to identity management, but they also apply to other areas of security as well:

Create a more collaborative relationship between the security and IT teams. Companies are looking to move to mobile platforms and the cloud, and therefore need to bridge the gap between the need of organizational security and the need of the business. Security cannot be an afterthought in this process; both teams need to continually collaborate for secure, best business processes.

Create a process to verify user identity. Granting access based on privileged identities is a must for the integrated and always-on businesses of today. Businesses will need guidance and guardrails from IT in order to create and maintain best practices for granting access. It's important that the security and IT team work together to create these processes to ensure risk does not build over time.

Move away from homegrown systems. These internally built systems will not scale and are not flexible enough to include the use of mobile platforms and the eventual shift to the cloud. Although homegrown solutions may have worked in the past, they are not sustainable as the rate of change within the business will continue to accelerate and process changes, and systems need to be in place to keep up with this change.

While I agree with the first point, that it’s important to avoid homegrown identity or security (especially cryptography) systems, I don’t think it goes far enough. In addition to skipping homegrown systems, enterprises should be looking for security systems that are specifically designed to work in cloud or hybrid cloud/legacy environments. This will, over the long term, enable new cloud technologies to easily be added to the environment.

When it comes to collaboration, this is the essence of DevOps and while I’m not a fan of the term SecDevOps, there needs to be a consistent focus on building and then maintaining collaboration between all aspects of the business – leadership, development, operations, and security.

Finally, enterprises have to move beyond simply making processes. I argue that the rule of thumb should be anything that can be automated when it comes to IT and security should be automated. If security compliance and vulnerability scans can be automated, do so. Same for automated application tests, identity and access management, the prevention of data leaks, and so on. The only way security teams have a chance at keeping up with the accelerating rate of change is to automate as much as they reasonably can. The caveat here is they have to be diligent that their automated tools and scripts are maintained to be in line with technology, system, and policy changes.

While these practices certainly won’t solve all of the challenges associated with the rapid adoption of new technologies and changing market conditions, by ensuring the organization is collaborating as much as possible, embracing automation, and looking for first for cloud-based solutions it will able to respond a lot more rapidly than those that do not take these steps. And it can do so in a very secure way.