Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
John B. Dickson
John B. Dickson
Connect Directly
E-Mail vvv

The Business of Security: How your Organization Is Changing beneath You

And why it's your job to change with it and 'skate where the puck is headed.'

I’m a security professional, but I’m also an MBA graduate and student of organizational design and behavior. It’s my business background that has shed the light on a few major trends that are changing organizations as we speak. Like most major changes, they are happening at an incremental pace, and not obvious to the naked eye. But they represent a tectonic shift that will define how security professionals operate in the decades ahead.

Consider, for example, the fragmentation of centralized IT. Today, more and more IT services are delivered by technologists embedded within business units, not via centralized IT organizations run by all-powerful CIOs. This used to be referred to and dismissed as “shadow IT.” But what might have been thought of as a rogue operation is now an accepted approach to delivering IT services across the enterprise.

Several trends are combining to accelerate this metamorphosis. Topping the list is the adoption of outsourced cloud services. Cloud services are bought and implemented by business chiefs without the prior approval or buy-in of CIOs – think salesforce.com being contracted by a VP of sales, or online job application SaaS platforms being adopted by HR. Couple the cloud transition with the consensus for businesses to move faster, embodied in system and product development delivered via Agile and DevOps approaches.

Goodbye to Imperial CIOs
The old model of centralized IT and business units with well-defined organizational boundaries are changing by embedding IT production inside the business units via cross-functional teams that spin up and spin down as projects begin and end. A likely outcome of this change is the gradual weakening of what I call “the imperial CIO” – the all-powerful IT leader who can drive business agendas and tolerate long-term development cycles for key business projects.

The challenge for security professionals will be to recognize this dispersal of centralized IT and to adapt a coverage model for security services that reflect the new reality. Perhaps the highest priority will be to stay close to business initiatives and company-wide capital expenditure (CAPEX) projects to understand how new operating models and technology platforms will need to be secured. These are typically well-funded, have CEO support, and provide the opportunity for security professionals to embed protections early in the development process to get upstream of potential weakness. This means strengthening relationships with business line owners and provides security leaders the opportunity to add value on important projects instead of being perceived as saying “no” to potential risks. 

In addition to fragmentation, organizations are restructuring to be more project- and product-driven. This complexity will strain static identity management constructs, and put positive pressure on security leaders to understand who is doing what, what they need to access to be successful, and when they need to be deprovisioned afterwards. Simply put, security leaders need to better understand where security functions are needed, irrespective of organizational charts, and focus even more on embedding security protections at the earliest stage of the project. More broadly, we need to adapt for change, or to steal a popular metaphor in use in business circles, to skate where the puck is headed.

The Faster Tempo of Business
Competitive pressures, breathtaking technological changes, and a variety of other external pressures have increased the pace of business substantially. This speed is embodied along a progression of two steps. First, organizations are moving from inflexible waterfall methods to Agile development methods in order to better integrate application development and business concerns. The second step is the onward evolution of DevOps where Agile developers break down barriers between the development and operations teams. Automating the entire software development process from code commit to deployment highlights how DevOps approaches can further squeeze cycles out of the software deployment process.

These changes represent a challenge and an opportunity to security leaders because they turn the existing ‘waterfall’ approach to software development upside down. It will be more important for security leaders to make sure they are invited to the earliest design meetings, so they can inject security use cases into the software development process. Up front security guidance will be needed because opportunities to test new features before they get deployed may simply not exist.  Instead of 11th-hour vulnerability scans before products go live, we now have an opportunity to architect in security scans, getting upstream of the deployment process. Finally, security experts should focus more energy on identifying attack patterns in live environments.

The Evolving Worker
In the not too distant past, most companies were staffed by employees, or what we now call FTEs (full time equivalents) or “badged” employees. That employment model mirrored the relatively static nature of the enterprise networking environment that security was tasked to protect. A defined network perimeter protected everyone inside the network from outside the network. Today’s employment model has turned this upside down. Now you have full-time employees, part-time employees, temp-to-perm hires, long-term contactors, short-term staff augmentation, offshore resources, interns, and other types of employment categories that your HR department can describe for you. To make matters more confusing, internal organizations are changing to be more project and product-based, reflecting the fluid nature of the business itself.

For the security worker, the challenge will be to identify who has access to what, when. An evolving organization drives more complex identity management, which is the foundation and starting point for security. But it will also demand tighter coordination with the business to understand how employment and contract roles have changed in order to harmonize access controls.  Supporting project-based IT capabilities that are built up and torn down on a weekly basis is also key to adapting. The SharePoint collaboration site to support the CEO’s secret M&A project is a good example of this type of quick requirement capability. Understanding how and when to turn off access to protect the business will also be increasingly important in this ever-changing environment.

The businesses we serve as security practitioners are changing at a faster pace today than at any other time since technology was introduced in the 1980’s. Some changes are obvious, others less so. Savvy security leaders must learn to take advantage of these changes to further security goals and to protect their evolving organizations.

Related Content:

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/31/2017 | 4:48:50 AM
Socialising security
Back in the early days, IT was carried out by a bunch of mystical creatures hidden away in darkened basements who spoke in strange languages and only suffered the presence of end users as a last resort. Requirements were passed through a hole in the wall and the results lobbed back months or years later. This mystique helped to spead the myth of IT being something that only the select few could participate in. 

In the intervening years that mystique has been largely blown away and now pretty much anyone can create very sophisticated systems without having to refer to the IT wizards. 

I've long felt that many IS professionals act like the old IT mystics, with whispered references to VPNs, TLS, 2048 bit keys, SOCS, SIEMS and heaven knowns what else, all in an attempt to make it seem more difficult than it actually is. 

In the same way as IT has been democratised and made avaialble to all, we need to move IS out of the central mystics and into the mainstream business areas. The data belong to the business, the risk should be owned by the business but for some reason we still seem to try to put blockers in the way of the business taking effective ownership of their security. 

That won't remove the need for IS professionals any more than putting IT into the hands of the business removed the need for IT professionals, but it will have the dual advantages of spreading security across the business, and allowing the IS Professionals to focus on new, interesting, stuff and not get bogged down in another round of Security 101 briefings. 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.