There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.
As we go round and round on the never ending hamster wheels provided as best practice guidelines and securty frameworks by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.
One of the biggest trends in security over the past 5-6 years has been its movement into mainstream IT. Traditionally IT security has been seen as outside of normal business processes. Organizations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.
There is little doubt that security lags innovation. For example the concept and delivery of cloud-computing was introduced and then it was realized that the lack of security – real and perceived – especially as it relates to visibility and control, was a huge inhibitor to adoption. The same is true for mobility; today many organizations are seeing their employees adopt shiny, new consumer computing devices, like the iPhone and iPad, and requesting access to corporate resources, yet most organizations are still struggling with managing and securing traditional computing assets, such as PCs and servers and there is limited enterprise-class support for these new devices.
For the most part security can only inform, rarely does it affect change, that job is left to the operational teams that must reconfigure a network device, harden a database, patch a workstation or disable services. Most security professionals lack an understanding of the operational environment that they work within and they lack the ability to modify that environment even if they did. So why do security professionals spend so little time understanding their role within an organization?
I would assert that the fundamental problem with security today is that it is not part of the operational lifecycle of IT and until we can integrate security into every elements lifecycle we will forever be left implementing security as an afterthought or bolting it on once we experience a compromise or undergo a TSA like groping of our networks from an auditor. Security must be operationalized, it must become part of the lifecycle of everything IT. This is the theme for 2011: Operationalizing Security.
- To experience wide-spread and main stream adoption security technologies must be operationalized
- To become operationalized security technologies must become integrated as a part of an elements lifecycle
- To become part of an elements operational lifecycle security technologies must provide output that is operationally actionable, integrated within the broader operational eco-system, and support current operational processes.