Think about the org chart for your IT department. If security is a siloed and vertical team that reports straight up to the CIO just like engineering or infrastructure, you're definitely not alone. But the bad news is, that legacy approach isn't going to work in the new era of technology services.
The traditional way of thinking about security is changing because a well-defined perimeter that could be protected by hardware appliances is disappearing as vulnerabilities and exploits rapidly develop. With digital transformation at the top of everyone's priority list, organizations are quickly migrating to the cloud, shifting to a mobile-first mindset and even expanding with the adoption of IoT. With these fundamental shifts in infrastructure, the old way of taking a “control” approach to security and trying to figure out the best way to secure an environment after it's been designed and implemented just doesn't work.
Security now has to be integrated across the organization so it can be brought into the conversation earlier. Many of the forward-thinking organizations I meet with are starting to understand the importance of having security as part of the planning process. At these organizations, security is still the responsibility of a CISO who reports to the CIO, but as they take on new initiatives, they're really sharing the responsibility and are aware that security needs to be top-of-mind for everyone.
For example, instead of speaking solely to a CSO or CISO, I'll be introduced very early to people like a VP of Application Development who's in charge of a company's DevOps strategy and then a VP of Infrastructure who's driving the digital transformation and cloud migration.
The key to being successful in moving away from a perimeter-based approach, and restructuring an organization so security becomes a horizontal overlay, is to focus on application security. The Software Engineering Institute estimates that 90 percent of reported security incidents result from exploits against defects in the design or code of software. So hardening code – something that can, and should be done across all function of an IT organization – will go a long way in improving overall security.
By moving away from the control approach where security has been an afterthought, and adopting more of a contextual approach to first understand what needs to be done and why, organizations can then integrate sound engineering practices into the software development lifecycle. And as most organizations adopt a DevOps culture, it will be important for them to ensure that security scanning and testing is moved to much earlier in the development and release process, bringing security teams into the fold.
By working more closely with their counterparts in other areas of IT, security teams can stop being a barrier, gate, or worse yet, the department of “NO!” so they can help guide an entire organization towards better security during these fast-changing times.
This is an important shift in structure and mindset, and one that needs to come from the top down.
