Like it or not, resistance is futile — and dramatic change is inevitable — for organizations pursuing heightened future competitiveness and sustained success. Most organizations will need to adopt agile and continuous delivery practices in important systems, ensuring Chief Information Security Officers (CISOs) overcome significant challenges. We explore the challenges, opportunities and recommend seven ways for CISOs to reinvent themselves and their cyber organization in the era of continuous delivery.
Fifty-one percent of security executives report they have little or no input into the digital transformation agenda.
Challenges and Opportunities for CISOs
Addressing the need for agile methods and the need to sustain adequate cyber security presents certain challenges for the CISO navigating a transforming business landscape. Here are the top six key triggers and challenges organizations are grappling with today.
- An agile delivery model requires more continuous participation by cyber security leaders
Cyber security usually has predefined contact points within a team's detailed planning and work schedule. These typically occur during initial software architecture definition and validation, with a couple of checkpoints ending with late testing and acceptance of the solution. Today, modern application security replaces the typically predefined interactions in the software lifecycle with more frequent interations that increase dialogue, collaboration and efficiency. How do organizations re-organize cyber security to support this interaction, either through staffing, automation or clever methodological work-arounds?
- An agile friendly cyber department needs to increase its understanding of modern software development dynamics and techniques
It's not rare today to see cyber departments hiring software developers possessing a strong understanding of modern dynamics and training them in cyber security. Some digital native organizations are going even further by hiring CISOs with a development background or promoting CISOs from their development ranks. How do organizations incorporate this modern development into the cyber security team?
- Cyber friendly software development is needed for effective cyber security to flourish
Software development teams need to incorporate cyber security throughout their organizational structure and strategic initiatives. It's similarly important for development teams and cyber security professionals to bridge the gap between them. How do organizations ensure siloes are broken down and collaboration is at the center of everything they do?
- Autonomous development teams and high automation may pose a segregation-of-duties challenge if not properly designed
In a siloed, stage-gate process - in which each software development stage is separated by a so called 'gate' requiring approvals before development moves to the next stage - segregation of duties (SOD) is easy: those who develop do not certify production readiness and those who deploy do not develop. This strict separation of duties frequently creates prioritization and agenda conflicts between siloed development teams and security professionals.
- Continuous, rapid delivery may require tradeoffs
A key capability in delivering software successfully is reducing batch size so that new releases can happen more often. A challenge for organizations is the level of acceptable production risk allowed in favor of a faster release. Doing so may look risk friendly from a traditional perspective but poses both a technical and organizational challenge to the modern cyber organization.
- Increasing cloud usage poses a moving security target
A pure DevOps organization will tend to make heavy use of cloud capabilities, creating a 'moving target' in terms of security infrastructure. As applications scale up or down to meet user demand, the lifespan of infrastructure may be significantly shorter than that of traditional hosts in a data center. The challenge is that the cost can be higher than traditional virtual hosts, creating a different class of organizational risk.
Cyber security capabilities need to match the agility of the digital organization, adapting to meet the fast-changing needs of stakeholders with the right mandate to enable digital transformation.
Reinventing the CISO
- Flow - the need for continuous participation versus discrete control points
With the acceleration of development practices, security teams must adopt strategies that meet increased throughput. Security should provide flexibility that empowers developers to focus on product delivery without compromising acceptable organizational risk.
- Secure development evangelism - the need for security skills on construction teams
Although organizations can implement any number of new tools or processes, a strong change-management system is crucial to ensuring successful adoption.
- Delivery mindset - educating cyber security teams on agile principles
Just as it is crucial to promote the importance of security organization-wide, the security team must also understand the full impact of an agile approach. The security function must integrate itself as a vital partner to the organization and its diverse teams.
- Cyber automation - the need for control automation
In order to accelerate security as agile methods emerge, investment in strategic automation must be implemented across the software delivery life cycle (SDLC) to ensure the longevity of security programs within the organization.
- Cyber telemetry - the need for cyber security insight along the software lifecycle
The modern digital business is driven by data. There is an opportunity for security systems within the organization to utilize appropriate telemetry and feedback tools where possible. Proper use allows security to put risk reduction into a tangible report while also examining the effectiveness of various security controls across the organization.
- Cyber-debt management - the responsible management of cyber security trade-offs
IT and development must manage technical debt, which is a result of choosing a quickly implemented solution that costs more in the long term versus choosing the right sustainable solution which may be more of an expensive investment up front. The implied cost/tradeoff of choosing a limited but more rapid solution (or technical attributes) instead of an enhanced solution requires more time and cost. Security teams should also manage ‘cyber debt’ that can be accumulated in an agile organization.
- Expanded vision - securing an expanding infrastructure
Just as security must adapt to the speed of product delivery, it must also adapt to the increased scope of technologies used in faster delivery. Containers, cloud hosts, virtual machines — all come with their own set of security considerations that seem to increase the workload for security. Securing an expanding infrstrcuture is crucial.
Preparing for the journey ahead
- Does my team possess the appropriate skills to promote and sustain a more innovative, experimental and collaborative culture?
- Does my strategy going forward promote increased collaboration at every step to ensure organization-wide alignment of goals and evolving capabilities?
- What is our current understanding of agile operating models and development methods?
- Am I having conversations with peers (CTO, CIO) about more agile methodologies and how closely aligned KPIs and objectives are across the various departments?
- Am I having informed and ongoing conversations with C-Suite leaders on the role of cyber security within innovation?
|Download the full report (PDF 1.6 MB) - The seven ways of the agile CISO|