02:30 PM
John B. Dickson
John B. Dickson
Connect Directly
E-Mail vvv

The Business of Security: How your Organization Is Changing beneath You

And why it's your job to change with it and 'skate where the puck is headed.'

I’m a security professional, but I’m also an MBA graduate and student of organizational design and behavior. It’s my business background that has shed the light on a few major trends that are changing organizations as we speak. Like most major changes, they are happening at an incremental pace, and not obvious to the naked eye. But they represent a tectonic shift that will define how security professionals operate in the decades ahead.

Consider, for example, the fragmentation of centralized IT. Today, more and more IT services are delivered by technologists embedded within business units, not via centralized IT organizations run by all-powerful CIOs. This used to be referred to and dismissed as “shadow IT.” But what might have been thought of as a rogue operation is now an accepted approach to delivering IT services across the enterprise.

Several trends are combining to accelerate this metamorphosis. Topping the list is the adoption of outsourced cloud services. Cloud services are bought and implemented by business chiefs without the prior approval or buy-in of CIOs – think salesforce.com being contracted by a VP of sales, or online job application SaaS platforms being adopted by HR. Couple the cloud transition with the consensus for businesses to move faster, embodied in system and product development delivered via Agile and DevOps approaches.

Goodbye to Imperial CIOs
The old model of centralized IT and business units with well-defined organizational boundaries are changing by embedding IT production inside the business units via cross-functional teams that spin up and spin down as projects begin and end. A likely outcome of this change is the gradual weakening of what I call “the imperial CIO” – the all-powerful IT leader who can drive business agendas and tolerate long-term development cycles for key business projects.

The challenge for security professionals will be to recognize this dispersal of centralized IT and to adapt a coverage model for security services that reflect the new reality. Perhaps the highest priority will be to stay close to business initiatives and company-wide capital expenditure (CAPEX) projects to understand how new operating models and technology platforms will need to be secured. These are typically well-funded, have CEO support, and provide the opportunity for security professionals to embed protections early in the development process to get upstream of potential weakness. This means strengthening relationships with business line owners and provides security leaders the opportunity to add value on important projects instead of being perceived as saying “no” to potential risks. 

In addition to fragmentation, organizations are restructuring to be more project- and product-driven. This complexity will strain static identity management constructs, and put positive pressure on security leaders to understand who is doing what, what they need to access to be successful, and when they need to be deprovisioned afterwards. Simply put, security leaders need to better understand where security functions are needed, irrespective of organizational charts, and focus even more on embedding security protections at the earliest stage of the project. More broadly, we need to adapt for change, or to steal a popular metaphor in use in business circles, to skate where the puck is headed.

The Faster Tempo of Business
Competitive pressures, breathtaking technological changes, and a variety of other external pressures have increased the pace of business substantially. This speed is embodied along a progression of two steps. First, organizations are moving from inflexible waterfall methods to Agile development methods in order to better integrate application development and business concerns. The second step is the onward evolution of DevOps where Agile developers break down barriers between the development and operations teams. Automating the entire software development process from code commit to deployment highlights how DevOps approaches can further squeeze cycles out of the software deployment process.

These changes represent a challenge and an opportunity to security leaders because they turn the existing ‘waterfall’ approach to software development upside down. It will be more important for security leaders to make sure they are invited to the earliest design meetings, so they can inject security use cases into the software development process. Up front security guidance will be needed because opportunities to test new features before they get deployed may simply not exist.  Instead of 11th-hour vulnerability scans before products go live, we now have an opportunity to architect in security scans, getting upstream of the deployment process. Finally, security experts should focus more energy on identifying attack patterns in live environments.

The Evolving Worker
In the not too distant past, most companies were staffed by employees, or what we now call FTEs (full time equivalents) or “badged” employees. That employment model mirrored the relatively static nature of the enterprise networking environment that security was tasked to protect. A defined network perimeter protected everyone inside the network from outside the network. Today’s employment model has turned this upside down. Now you have full-time employees, part-time employees, temp-to-perm hires, long-term contactors, short-term staff augmentation, offshore resources, interns, and other types of employment categories that your HR department can describe for you. To make matters more confusing, internal organizations are changing to be more project and product-based, reflecting the fluid nature of the business itself.

For the security worker, the challenge will be to identify who has access to what, when. An evolving organization drives more complex identity management, which is the foundation and starting point for security. But it will also demand tighter coordination with the business to understand how employment and contract roles have changed in order to harmonize access controls.  Supporting project-based IT capabilities that are built up and torn down on a weekly basis is also key to adapting. The SharePoint collaboration site to support the CEO’s secret M&A project is a good example of this type of quick requirement capability. Understanding how and when to turn off access to protect the business will also be increasingly important in this ever-changing environment.

The businesses we serve as security practitioners are changing at a faster pace today than at any other time since technology was introduced in the 1980’s. Some changes are obvious, others less so. Savvy security leaders must learn to take advantage of these changes to further security goals and to protect their evolving organizations.

Related Content:

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/31/2017 | 4:48:50 AM
Socialising security
Back in the early days, IT was carried out by a bunch of mystical creatures hidden away in darkened basements who spoke in strange languages and only suffered the presence of end users as a last resort. Requirements were passed through a hole in the wall and the results lobbed back months or years later. This mystique helped to spead the myth of IT being something that only the select few could participate in. 

In the intervening years that mystique has been largely blown away and now pretty much anyone can create very sophisticated systems without having to refer to the IT wizards. 

I've long felt that many IS professionals act like the old IT mystics, with whispered references to VPNs, TLS, 2048 bit keys, SOCS, SIEMS and heaven knowns what else, all in an attempt to make it seem more difficult than it actually is. 

In the same way as IT has been democratised and made avaialble to all, we need to move IS out of the central mystics and into the mainstream business areas. The data belong to the business, the risk should be owned by the business but for some reason we still seem to try to put blockers in the way of the business taking effective ownership of their security. 

That won't remove the need for IS professionals any more than putting IT into the hands of the business removed the need for IT professionals, but it will have the dual advantages of spreading security across the business, and allowing the IS Professionals to focus on new, interesting, stuff and not get bogged down in another round of Security 101 briefings. 
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.