In my previous article about Security-IN-the-Cloud, I touched on the shift from traditional perimeter-based security to data-based security. This shift brings an additional change in the governance of IT and cybersecurity — new capabilities that modern organisations and their IT security specialists need to have. In this article, I want to share the top 5 of such capabilities, which at least in my opinion, are most important.
To be closer to business to understand organisation’s unique vulnerabilities, strengths, and the industry or business-specific threats.
Some say it’s ok if IT guys are not social and sit somewhere in the basement with their servers and wires. Others are even afraid to cross their path — better now do that and contact IT only when it’s a matter of life and death. I think it is wrong thinking, coming from lack of general IT knowledge and disinterest about their data security from business decision-makers.
In the modern IT security, soft skills take on a slightly different meaning — while social communication and teamwork are important, critical thinking and even general psychology is even more important skillset of modern IT security specialist. He or she needs to:
• think like the bad guys,
• know social engineering techniques to identify possible threats like phishing attacks,
• know how other employees and customers of the organisation are likely to respond to threats, how to raise their awareness, and train their resilience,
• modern IT and IT Security specialists need to be closer to business to understand organisation’s unique vulnerabilities, strengths, and industry or business-specific threats,
• work well under pressure and be able to quickly prioritise actions to minimise the damage should an attack occur.
Having these soft and social skills together with technological knowledge lays down the framework for an IT and IT Security specialist to perform their duties in the modern era.
To assess what’s relevant and select appropriate measures, compromise between lock-out and innovations
During my career, I happened to see multiple cases where old-school IT specialists had no problems to defend huge budgets to buy higher-than-needed grade appliances as a mitigation measure of a risk, having exposure multiple times lower than the price of the appliance. And guess what, I’ve also seen those organisations fall into big scandals of data breaches, availability failures, and personal data being literally washed away by the flood.
In the cyber era, where more and more efforts and money is spent on cyberattacks, ransomware viruses, and mind-blowingly effective social engineering manipulation, there is a bigger than ever need for organisations to have good threat and risk assessment capabilities. It is no longer possible to isolate organisation’s perimeter from all the possible threats and there is no chance to protect your organisation from all possible attacks. By default any organisation in the world has (and will continue having) a number of vulnerabilities. No money can buy the complete security or ‘vulnerability-free’ state for the organisation, so the only way for the CEO to sleep better at night is to be aware of risks, possible exposure and to be sure that responsible teams are skilled enough to select the most relevant security measures for business-critical risks.
A bonus hint: ask your IT/team if they know the following equation and ask for ROSI when they ask for big CAPEX investments into hardware/software as a risk mitigation measure:
• Return on Security Investment (ROSI) = return on investment (ROI) of security control/solution to be implemented.
• Annualized Loss Expectancy (ALE) = estimated monetary loss from a single security incident x annualized rate of occurrence.
• modified ALE (mALE) = modified annual monetary loss taking into consideration the effectiveness of expected security control.
• Cost of Solution = all costs associated with solution purchase, implementation, and maintenance.
Assess and manage cloud services security, manage business data securely in the cloud.
To begin with, every modern organisation firstly needs to understand that the perception that once in the cloud, the whole security is handled by the cloud provider.
To better understand the scope of organisation’s responsibility of Security-IN-the-Cloud, check my story dedicated to Security IN the Cloud vs Security OF the Cloud.
‘The cloud is already secure, why do I need worry about additional security?’
The Shared responsibility model is not less important to be communicated and understood by BDMS (business representatives), not only by IT specialists. It’s because the main focus of Security-IN-the-Cloud is business data — the main asset of every modern organisation.
‘Invest into skills and knowledge of your IT staff, dedicate their time to learn and keep up with ultra-frequent changes in Cloud services’
Once the organisation learns the Shared Responsibility Model and knows its responsibilities, it needs to start by identifying internal personnel skilled in Dev(Sec)Ops, cloud-skilling internal teams, and/or getting trusted MSP partner who would be able to leverage cloud security standards, cloud-specific best practices, and security controls.
Embed security into business solution development lifecycle, not after it
DevSecOps is like an evolution in the way development teams approach security. Previously, security was the thing system administrator or separate security team needs to tailor and ‘sew on’ to the applications/systems at the very end of the development process or even after it is deployed on the production environment. Then security needed to be tested by a separate quality assurance (QA) team, and so on. Treating security like some afterthought lead to famous data breaches and made IT community think of new ways to embed security into each phase of software development lifecycle.
In our DevOps team, we have a saying ‘Automation first’. Every time someone needs to perform some task, setup new AWS/Azure infrastructure or prepare a robust platform for the client’s new application deployment, the first question they need to answer — is there at least a slight chance I will need to perform the same task again, or might I need to rebuild the platform? If the answer is yes — the task is to be performed not manually, but by writing automation scripts (e.g. Terraform, Ansible, CHEF) aka Infrastructure as Code (IaC). The same approach should be embedded into the security of modern applications. As the famous DevSecOps manifesto states:
‘By developing security as code, we will strive to createawesome products and services, provide insights directly to developers, andgenerally favor iteration over trying to always come up with the best answerbefore a deployment.’
Be able to (I) identify real incidents from huge amounts of data and number of false-positive alerts, (II) eliminate them quickly, and (III) rationally assess risk, threat, and loss.
Complex IT systems produce tons of logs, activity information and other data, that modern IT specialist must be able to process in order to maintain security, compliance, and optimise resources. Thus he/she needs be equipped with both skills and appropriate tools to be able to consume loads of information and come up with the best plan of action within a matter of minutes. The ability to see the big picture by examining the individual problem areas and tell exactly what needs to be fixed is what differentiates a wanted modern IT specialist from others.
In a nutshell, a modern organisation needs to take on data-centric ‘big data’ approach to security.