Quick: What do you think of when you hear the words, “Shall we play a game?”
If you are from my generation, then you are instantly transported back to 1983 and watching a young Matthew Broderick (just a few years removed from Ferris Bueller’s Day Off) and Ally Sheedy (only a few years removed from St. Elmo’s Fire and The Breakfast Club) starting a game of Global Thermonuclear War in the popular movie War Games. For many, this was our first introduction to cybersecurity.
And still decades later, when you mention cybersecurity, this is what a lot of people picture:
Image Courtesy of Giphy
Well, it is nearly 40 years later and while control rooms and Security Operation Centers are still very much in existence and necessary for our protection, they are certainly not the only place where cybersecurity needs to be addressed. With the ever-increasing threat landscape and growing number of vulnerabilities, asking a small group of highly trained experts together in a room to handle all of the possible attacks and threat vectors isn’t just massively unfair. It’s dangerous.
The 2020 Vulnerability Statistics Report from Edgescan states that “64% of professionals admitted to not being fully aware of their organization’s web applications or end-points” and also mentioned that over 8 billion records were breached in 2019. And the proliferation of containers, microservices and the Internet of Things (IoT) only makes it harder.
So, the old model of relying on single-discipline security specialists just doesn’t work, especially when you are moving at the speed of DevOps. Today, successful and secure software development requires approaches – and people – that are multi-disciplinary. What does the security employee of today and tomorrow look like? I’m glad you asked!
A New Kind Of Security Employee
Recently on our Application Paranoia podcast, we sat down with our HCLSoftware CISO, Joe Rubino, and asked him about his thoughts on building a strong culture of trusted security in all that we do. At the heart of this is how we build and nurture a team of security professionals that support an organization and its customer base.
“We all have to assume that additional responsibility of Security Professional. Of Data Privacy Professional. Of Customer Support Professional. And the further we can push ourselves to embrace that new normal… the further along we’ll be”
What we all found very interesting was the discussion on expanding the notion of what a security professional should be. It is likely that you have heard some form of the phrase, “Security is everyone’s job.” There is a certain truth to that. After all, we carry personal devices and use a complex mix of personal and professional assets on a daily basis. We all have a responsibility to do our part. We have to ensure these are updated, used properly and that we avoid obvious things like phishing scams.
These are great things to do, but real security today demands a much more holistic response. Joe expressed it this way: “We all have to assume that additional responsibility of Security Professional. Of Data Privacy Professional. Of Customer Support Professional. And the further we can push ourselves to embrace that new normal, those expectations, those responsibilities associated with that, the further along we’ll be.”
So… What is a Security Professional?
Obviously, Security is a highly technical space that is constantly evolving and increasing in complexity. To thrive in this space, the ability to understand, adapt, apply and learn technical skills is a pre-requisite to success.
But great technical skills on their own just aren’t enough anymore.
Today, we need to further embrace a hybrid model of employee, especially where security is concerned. There needs to be what Joe called a “multi-disciplinary approach.” The idea being that, while people have skills in some key areas, we cannot rely solely on those skill-sets because business needs change and new skills must emerge.
There were a number of keys to success mentioned on the podcast about finding and developing such employees. Among the most important were: Find people that are curious and who have empathy. This is especially important as more organizations work to adopt DevSecOps practices. Curiosity and empathy promote problem-solving and teamwork and build the kind of culture that is critical to long-term success with DevOps and DevSecOps.
“ … the days of ‘Well I’m a great technical security professional so I can get away with significant gaps in these other areas’. For me, that’s just not acceptable.”
If the mentality the security professional has is simply to “Perform this checklist. Done!” then that does not provide the kind of comprehensive security that is needed. And it can’t just be about enforcing policies or compliance with regulations, either. Instead, security practices have to be continually assessed, evaluated and adjusted as business needs evolve. Done right, good security promotes consumer trust and confidence. It declares that “we are responsible with your data.”
Get Away from “Gotcha!”
A key rhetorical question was posed by Joe: “Are we doing the right things for the right reason and avoiding the kind of checklist mentality perspective of what a lot of people think security professionals are?”
Today, Security needs to be a business enabler, not just a gatekeeper. That means the Security professional needs to have alignment to the business. It means increased collaboration, because security can no longer operate in a silo. And, going hand-in hand with collaboration is the need for effective emotional intelligence, empathy and leadership at every level. It means not just seeing potential risks but being able to assess those risks in the context of business value. In short, the view on security has to change from being a place where “NO” is heard to a place where “YES, and here is how we do it safely” is the norm.
Good security lets you go faster.
You read that right. When great security practices are well-integrated throughout the software development lifecycle (SDLC), and meaningful, actionable feedback is provided to teams at all stages then risk is better monitored, managed, minimized and mitigated. The result of this is greater trust built into our systems which reduces the overall time to delivery.
When we are able to move away from a “gotcha” mentality, then we see enormous dividends. One area in particular is with secure coding. We have yet to meet a developer who is trying to write insecure code. They want to do the right things. They want to write good, secure code that works. But, too often we act like our developers need to become security “experts” to succeed. That just isn’t true. We don’t need them to become experts, but we do need them all to become more secure.
In fact, let me illustrate. Imagine you are driving somewhere and all of the sudden your car’s dashboard lights up like a Christmas tree and your engine stalls. You pull over, get out and open the hood, knowing that the chances of you fixing the issue are somewhere between slim and none. Suddenly, you hear a car pull up behind yours and someone comes over, stands by you and looks for a minute. Then, s/he points to a random part of the engine and says, “There’s your problem,” and before you can even respond they go back to their car, get in and drive off. Well, unless you happen to be an experienced mechanic and have the correct parts on hand, their just pointing out the issue doesn’t do much to help you, does it?
Welcome to what is like to be a developer getting an email from a defect tracking system about a security problem.
I was at a major security conference some time ago and nearly every booth I visited shared some flavor of “getting developers involved in security.” The underlying idea was all about developers doing scans and getting reports, with the thinking being that if you could just provide developers with more information about what was vulnerable and where, then of course they would know how to fix it. When I heard this, my first thought was “Good luck with that!”, because the reality is that if a developer wanted that level of security expertise, they would already have attained it.
The truth is that secure coding is hard work. And challenging. And it takes multiple perspectives. We understand the concept of performing code reviews to ensure functionality is met, right? So, is it really that much of a stretch to think that partnering security professionals and developers together for things like threat modeling and security reviews wouldn’t be a good idea? The point is that security professionals can no longer just run tests and report on vulnerabilities that they’ve found. Rather, they need to actively work in concert with development teams to balance, prioritize and remediate. That is what promotes shared learning.
Put It Together
So in summary, successful business today demands a new team-based approach to security and security professionals that are not just technically skilled, but also have the grit, empathy and curiosity to drive better collaboration to reduce risk. Business leaders need to provide environments, platforms and even incentives to promote that kind of collaboration at scale so that trust is enhanced across teams and through pipelines, which ultimately leads to delivering better, more secure software, faster
For more discussion on these and other application security topics, check out the Application Paranoia podcast, read our other blogs and feel free to connect on LinkedIn and Twitter.