Cloud
11/30/2016
10:00 AM
Kevin O'Brien
Kevin O'Brien
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Rise Of SecBizOps & Why It Matters

By aligning security dollars and technology with core business requirements, infosec can become a business enabler, not a business impediment.

The term "DevOps" was popularized in 2008 in reference to the cultural movement that emphasizes collaboration and communication between software developers and IT leaders while automating software delivery and infrastructure changes. The goal of the DevOps movement was to break down the informational silos to make software development, testing, and releasing faster and more reliable. 

Eight years later, we have found that the DevOps movement must be expanded to incorporate the growing importance of cybersecurity. We are now in the era of "SecBizOps" – a crucial next step in protecting sensitive information from increasingly advanced and destructive cyberattacks.

The widespread adoption of cloud services over the past five years has driven a populist shift in the business technology landscape; as organizations flock to the cloud and embrace productivity-boosting tools like mobile corporate messaging and email platforms, business apps have become increasingly democratic, empowering a rapidly expanding base of ordinary users to communicate and collaborate with ease. This growing transfer of business activities and data to the cloud has given rise to the demand for SecBizOps.

SecBizOps applies the DevOps philosophy to breaking down informational siloes between IT and departments like finance, marketing, and sales. The goal is to natively integrate a frictionless information security strategy into user workflows - one that complements rather than conflicts with technology-centric security investments.

Furthermore, SecBizOps uniquely tackles today’s toughest IT and cybersecurity challenges, namely:

  • Supporting always-on employees and their systems;
  • Supporting mobile devices and BYOD: the always-on access to critical business infrastructure results in the disappearance of a concrete perimeter; 
  • Improving user experience: the increase in technology’s use and ease of use brings with it greater UX expectations. If security is too complicated and requires too much deviation from their usual workflow, employees will find a way around it;
  • Protecting employees: the rise of social engineering/non-payload attacks means that just securing systems isn’t enough anymore. Organizations must secure humans as well. 

Why SecBizOps Matter
In this environment, IT and security teams must work together to make cybersecurity strategies integrated, automatic and visible to the business users themselves. However, many of them do not know how to do this effectively.

The key to stopping cyberattacks is not more tools but adopting a shift in mindset instead. One of the trends we see is that bolstering detection capabilities is more effective when coupled with automated response capabilities and preventive controls that inform and guide behavior rather than prohibit users from working. For the average end-user, security should be front and center, but only when security is relevant.

Security awareness training also needs to be re-tooled. Instead of simulating false attacks, IT and security teams need to find better ways to alert users in the moment that they are exposed to real ones – and give them the tools to get involved and help make a difference in their own security.  

As part of this evolution, IT and security teams must keep in mind that SecBizOps is a cultural shift and not yet another tool that promises more than it delivers. Our current outdated mindset has spawned IT leaders investing billions in perimeter-based security solutions and training, despite the near-complete erosion of the traditional perimeter as we know it. These integrations are complex, highly expensive, and ultimately ill-suited to address the most effective low-volume, hyper-targeted types of attacks that we see today.

Tom Shultz of Gartner Research pointed out at last year’s Security and Risk Management Summit in London that the paradigm for training, behavior-shaping, monitoring, and employee-enabling technologies will shift as organizations respond to a technological landscape that embraces cloud services, mobile access to corporate messaging and email platforms, as well as growing freedom for employees to use technology in new ways.

Getting Security to "Just Work"
This shift puts SecBizOps on the front line of enterprise security because users – especially non-technical users - increasingly expect security to "just work." In other words, security that is timely, comprehensible, and minimally obstructive will be effective; security that impedes business will not.

But adopting SecBizOps is not as daunting as one may think. First, security and IT teams should take a risk-management approach to their entire security landscape. By implementing security where it will have the highest return-on-investment — for example, by identifying the types of risks that most often lead to large or frequent breaches or loss within your industry or across the market as a whole, and addressing those areas first — it is possible to interweave security into the systems that most need protection.

The simple fact is that nobody really likes security except security professionals. By aligning information security spend and technology with the core business requirements of the business, it becomes a business enabler, rather than a business impediment. As one CISO put it in a case study we performed some years ago, this alignment of need and technical capacity is akin to "getting out of the business' way, but ensuring that the right protections are in place to keep it on the right path even as its speed increases."

The technological landscape will change, first and foremost. What we see today as the systematic set of interaction points between executives, trusted partners, and vendors (email, chat, CRM, web, social, etc.) is incredibly dynamic. One of the challenges for a SecBizOps-aligned team is thinking not in terms of point solutions for technologies, but rather in terms of the hub-and-spoke model of infosec. 

This is a view in which data (the hub) is accessed by myriad platforms and products (spokes). Security that exists at the center of the model and protects against types of threats becomes a scalable center, whereas products that focus on the deficiencies or vulnerabilities of spoke-level technologies is commoditized at best, and distracting at worst.

We see the foundation of a SecBizOps approach to be around securing against deception-based attacks. Two years ago, the term was "targeted attack protection," which doesn't adequately convey the character of the kinds of threats that business users face from attackers in the wild. Instead of thinking about targets, SecBizOps looks at tactics, and informs a security approach that aligns to those tactics more directly than in previous generations.

Related Content:

 

Kevin is GreatHorn's CEO and Co-Founder. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and is a frequent speaker and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TriSqueri
50%
50%
TriSqueri,
User Rank: Apprentice
12/2/2016 | 9:51:16 AM
Awesome!
Awesome article, Kevin!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.