Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
John B. Dickson
John B. Dickson
Connect Directly
E-Mail vvv

The Business of Security: How your Organization Is Changing beneath You

And why it's your job to change with it and 'skate where the puck is headed.'

I’m a security professional, but I’m also an MBA graduate and student of organizational design and behavior. It’s my business background that has shed the light on a few major trends that are changing organizations as we speak. Like most major changes, they are happening at an incremental pace, and not obvious to the naked eye. But they represent a tectonic shift that will define how security professionals operate in the decades ahead.

Consider, for example, the fragmentation of centralized IT. Today, more and more IT services are delivered by technologists embedded within business units, not via centralized IT organizations run by all-powerful CIOs. This used to be referred to and dismissed as “shadow IT.” But what might have been thought of as a rogue operation is now an accepted approach to delivering IT services across the enterprise.

Several trends are combining to accelerate this metamorphosis. Topping the list is the adoption of outsourced cloud services. Cloud services are bought and implemented by business chiefs without the prior approval or buy-in of CIOs – think salesforce.com being contracted by a VP of sales, or online job application SaaS platforms being adopted by HR. Couple the cloud transition with the consensus for businesses to move faster, embodied in system and product development delivered via Agile and DevOps approaches.

Goodbye to Imperial CIOs
The old model of centralized IT and business units with well-defined organizational boundaries are changing by embedding IT production inside the business units via cross-functional teams that spin up and spin down as projects begin and end. A likely outcome of this change is the gradual weakening of what I call “the imperial CIO” – the all-powerful IT leader who can drive business agendas and tolerate long-term development cycles for key business projects.

The challenge for security professionals will be to recognize this dispersal of centralized IT and to adapt a coverage model for security services that reflect the new reality. Perhaps the highest priority will be to stay close to business initiatives and company-wide capital expenditure (CAPEX) projects to understand how new operating models and technology platforms will need to be secured. These are typically well-funded, have CEO support, and provide the opportunity for security professionals to embed protections early in the development process to get upstream of potential weakness. This means strengthening relationships with business line owners and provides security leaders the opportunity to add value on important projects instead of being perceived as saying “no” to potential risks. 

In addition to fragmentation, organizations are restructuring to be more project- and product-driven. This complexity will strain static identity management constructs, and put positive pressure on security leaders to understand who is doing what, what they need to access to be successful, and when they need to be deprovisioned afterwards. Simply put, security leaders need to better understand where security functions are needed, irrespective of organizational charts, and focus even more on embedding security protections at the earliest stage of the project. More broadly, we need to adapt for change, or to steal a popular metaphor in use in business circles, to skate where the puck is headed.

The Faster Tempo of Business
Competitive pressures, breathtaking technological changes, and a variety of other external pressures have increased the pace of business substantially. This speed is embodied along a progression of two steps. First, organizations are moving from inflexible waterfall methods to Agile development methods in order to better integrate application development and business concerns. The second step is the onward evolution of DevOps where Agile developers break down barriers between the development and operations teams. Automating the entire software development process from code commit to deployment highlights how DevOps approaches can further squeeze cycles out of the software deployment process.

These changes represent a challenge and an opportunity to security leaders because they turn the existing ‘waterfall’ approach to software development upside down. It will be more important for security leaders to make sure they are invited to the earliest design meetings, so they can inject security use cases into the software development process. Up front security guidance will be needed because opportunities to test new features before they get deployed may simply not exist.  Instead of 11th-hour vulnerability scans before products go live, we now have an opportunity to architect in security scans, getting upstream of the deployment process. Finally, security experts should focus more energy on identifying attack patterns in live environments.

The Evolving Worker
In the not too distant past, most companies were staffed by employees, or what we now call FTEs (full time equivalents) or “badged” employees. That employment model mirrored the relatively static nature of the enterprise networking environment that security was tasked to protect. A defined network perimeter protected everyone inside the network from outside the network. Today’s employment model has turned this upside down. Now you have full-time employees, part-time employees, temp-to-perm hires, long-term contactors, short-term staff augmentation, offshore resources, interns, and other types of employment categories that your HR department can describe for you. To make matters more confusing, internal organizations are changing to be more project and product-based, reflecting the fluid nature of the business itself.

For the security worker, the challenge will be to identify who has access to what, when. An evolving organization drives more complex identity management, which is the foundation and starting point for security. But it will also demand tighter coordination with the business to understand how employment and contract roles have changed in order to harmonize access controls.  Supporting project-based IT capabilities that are built up and torn down on a weekly basis is also key to adapting. The SharePoint collaboration site to support the CEO’s secret M&A project is a good example of this type of quick requirement capability. Understanding how and when to turn off access to protect the business will also be increasingly important in this ever-changing environment.

The businesses we serve as security practitioners are changing at a faster pace today than at any other time since technology was introduced in the 1980’s. Some changes are obvious, others less so. Savvy security leaders must learn to take advantage of these changes to further security goals and to protect their evolving organizations.

Related Content:

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/31/2017 | 4:48:50 AM
Socialising security
Back in the early days, IT was carried out by a bunch of mystical creatures hidden away in darkened basements who spoke in strange languages and only suffered the presence of end users as a last resort. Requirements were passed through a hole in the wall and the results lobbed back months or years later. This mystique helped to spead the myth of IT being something that only the select few could participate in. 

In the intervening years that mystique has been largely blown away and now pretty much anyone can create very sophisticated systems without having to refer to the IT wizards. 

I've long felt that many IS professionals act like the old IT mystics, with whispered references to VPNs, TLS, 2048 bit keys, SOCS, SIEMS and heaven knowns what else, all in an attempt to make it seem more difficult than it actually is. 

In the same way as IT has been democratised and made avaialble to all, we need to move IS out of the central mystics and into the mainstream business areas. The data belong to the business, the risk should be owned by the business but for some reason we still seem to try to put blockers in the way of the business taking effective ownership of their security. 

That won't remove the need for IS professionals any more than putting IT into the hands of the business removed the need for IT professionals, but it will have the dual advantages of spreading security across the business, and allowing the IS Professionals to focus on new, interesting, stuff and not get bogged down in another round of Security 101 briefings. 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...