The term "DevOps" was popularized in 2008 in reference to the cultural movement that emphasizes collaboration and communication between software developers and IT leaders while automating software delivery and infrastructure changes. The goal of the DevOps movement was to break down the informational silos to make software development, testing, and releasing faster and more reliable.
Eight years later, we have found that the DevOps movement must be expanded to incorporate the growing importance of cybersecurity. We are now in the era of "SecBizOps" – a crucial next step in protecting sensitive information from increasingly advanced and destructive cyberattacks.
The widespread adoption of cloud services over the past five years has driven a populist shift in the business technology landscape; as organizations flock to the cloud and embrace productivity-boosting tools like mobile corporate messaging and email platforms, business apps have become increasingly democratic, empowering a rapidly expanding base of ordinary users to communicate and collaborate with ease. This growing transfer of business activities and data to the cloud has given rise to the demand for SecBizOps.
SecBizOps applies the DevOps philosophy to breaking down informational siloes between IT and departments like finance, marketing, and sales. The goal is to natively integrate a frictionless information security strategy into user workflows - one that complements rather than conflicts with technology-centric security investments.
Furthermore, SecBizOps uniquely tackles today’s toughest IT and cybersecurity challenges, namely:
- Supporting always-on employees and their systems;
- Supporting mobile devices and BYOD: the always-on access to critical business infrastructure results in the disappearance of a concrete perimeter;
- Improving user experience: the increase in technology’s use and ease of use brings with it greater UX expectations. If security is too complicated and requires too much deviation from their usual workflow, employees will find a way around it;
- Protecting employees: the rise of social engineering/non-payload attacks means that just securing systems isn’t enough anymore. Organizations must secure humans as well.
Why SecBizOps Matter
In this environment, IT and security teams must work together to make cybersecurity strategies integrated, automatic and visible to the business users themselves. However, many of them do not know how to do this effectively.
The key to stopping cyberattacks is not more tools but adopting a shift in mindset instead. One of the trends we see is that bolstering detection capabilities is more effective when coupled with automated response capabilities and preventive controls that inform and guide behavior rather than prohibit users from working. For the average end-user, security should be front and center, but only when security is relevant.
Security awareness training also needs to be re-tooled. Instead of simulating false attacks, IT and security teams need to find better ways to alert users in the moment that they are exposed to real ones – and give them the tools to get involved and help make a difference in their own security.
As part of this evolution, IT and security teams must keep in mind that SecBizOps is a cultural shift and not yet another tool that promises more than it delivers. Our current outdated mindset has spawned IT leaders investing billions in perimeter-based security solutions and training, despite the near-complete erosion of the traditional perimeter as we know it. These integrations are complex, highly expensive, and ultimately ill-suited to address the most effective low-volume, hyper-targeted types of attacks that we see today.
Tom Shultz of Gartner Research pointed out at last year’s Security and Risk Management Summit in London that the paradigm for training, behavior-shaping, monitoring, and employee-enabling technologies will shift as organizations respond to a technological landscape that embraces cloud services, mobile access to corporate messaging and email platforms, as well as growing freedom for employees to use technology in new ways.
Getting Security to "Just Work"
This shift puts SecBizOps on the front line of enterprise security because users – especially non-technical users - increasingly expect security to "just work." In other words, security that is timely, comprehensible, and minimally obstructive will be effective; security that impedes business will not.
But adopting SecBizOps is not as daunting as one may think. First, security and IT teams should take a risk-management approach to their entire security landscape. By implementing security where it will have the highest return-on-investment — for example, by identifying the types of risks that most often lead to large or frequent breaches or loss within your industry or across the market as a whole, and addressing those areas first — it is possible to interweave security into the systems that most need protection.
The simple fact is that nobody really likes security except security professionals. By aligning information security spend and technology with the core business requirements of the business, it becomes a business enabler, rather than a business impediment. As one CISO put it in a case study we performed some years ago, this alignment of need and technical capacity is akin to "getting out of the business' way, but ensuring that the right protections are in place to keep it on the right path even as its speed increases."
The technological landscape will change, first and foremost. What we see today as the systematic set of interaction points between executives, trusted partners, and vendors (email, chat, CRM, web, social, etc.) is incredibly dynamic. One of the challenges for a SecBizOps-aligned team is thinking not in terms of point solutions for technologies, but rather in terms of the hub-and-spoke model of infosec.
This is a view in which data (the hub) is accessed by myriad platforms and products (spokes). Security that exists at the center of the model and protects against types of threats becomes a scalable center, whereas products that focus on the deficiencies or vulnerabilities of spoke-level technologies is commoditized at best, and distracting at worst.
We see the foundation of a SecBizOps approach to be around securing against deception-based attacks. Two years ago, the term was "targeted attack protection," which doesn't adequately convey the character of the kinds of threats that business users face from attackers in the wild. Instead of thinking about targets, SecBizOps looks at tactics, and informs a security approach that aligns to those tactics more directly than in previous generations.