This is Part 4 in our four-part blog series for Cybersecurity Awareness Month. Read Part 1 | Part 2 | Part 3.
For the longest time security has been about developing defenses around innovation that has already happened, forcing security to continuously play catch up — a false strategy that has been exploited by adversaries for years. To discuss this issue and why security first is so important, we got time with CrowdStrike’s executive leaders Mike Sentonas, Chief Technology Officer, and Amol Kulkarni, Chief Product and Engineering Officer.
To start, how did we get here, and what is the biggest challenge for security professionals who are trying to elevate security as a business priority?
Amol: Security is too frequently an afterthought and almost always it is underfunded to the extent that it becomes ineffective very quickly as the threat landscape evolves. We need to get the right attention to the real issues that need to be tackled. Although awareness among company boards has increased recently, it is still too little, too late.
Mike: Agreed and it won’t be long before the idea of “boardroom issue” becomes a cliché. In the 2021 World Economic Forum Global Risk Report, cyber risk is highlighted as a global risk. Instead of asking “how do we not get breached?” organizations should be asking “how do we address security long term?”. From a security perspective, security professionals have not done enough to align security with the rest of the business and get the rest of the business to think of security as a key element enabling their core business operations rather than being another cost.
What has that attitude led to, where are we now, and how has it impacted the perception of security?
Amol: Historically cybersecurity has been implemented as an external control, and the word “control” itself highlights the approach security teams have had to take. Rather than working hand-in-hand with the business to bake in security from the get go, with a joint one-team approach, the external control approach has caused security teams to be seen as adding friction and delaying the time-to-fruition of the business ideas. The other problem has been the quality of legacy security products which were designed to be reactive to new threats and were not sensitive to the overhead on the end user. Due to this, security products became a target of criticism and blame from end users as they blocked people from doing their day-to-day jobs well.
Mike: Many elements of cybersecurity have had some negative trade-offs on user experience or placed an additional mental tax on end users. A good example of bad user experience is legacy AV software that took up significant amounts of system resources, caused painfully long system boot times and often brought entire systems down during intensive scanning. Mental taxes are readily apparent when considering things like proper password hygiene. Policies often required users to remember multiple long and unique strings, and to add insult to injury they would all regularly have to change without reusing any old ones.
So, it is pretty obvious from what you have just said that the shift to a security first/security transformation approach is the right one. What does security transformation mean to you, and how will it change the perception of security?
Mike: I see two key themes in today’s ongoing security transformation. The first is the rapid adoption of working from home. This has necessitated a shift from traditional perimeter security to a more modern cloud-native approach with heavy reliance on identity and Zero Trust to close new gaps.
The second is the adoption of IT and development practices that integrate security into their design as a core foundational requirement rather than adding it in as an afterthought. Nowhere is this more readily apparent (and valuable) than in the DevSecOps paradigm.
As we have discussed above, cybersecurity has had a reputation as an inhibitor due to negative trade-offs associated with older technologies and techniques. Today’s security transformation can take advantage of more modern approaches that provide enhanced security benefits without many of the inhibitors. For example, modern Single Sign On (SSO) technology allows for secure access to and seamless management of multiple services without requiring users to remember unique passwords for each.
Amol: My opinion is similar to Mike’s. It is thinking about and baking in security from the start of every business initiative. It is using security platforms that are designed to be proactive to stop breaches and which don’t drown the SOC in false positives or cripple end users with too much overhead. They should be so efficient as to be practically invisible to the end user and should show actionable alerts to the SOC teams. But most importantly it is about giving security the needed importance and appropriate budget so that security teams can be truly empowered to stop breaches.
This transformation can make cybersecurity teams and products be friends of people and businesses. They would be seen as enabling business to reduce risk and deliver new initiatives confidently without potential breaches down the road. Security products would be seen as essential enablers of business agility, working at DevOps velocity to implement DevSecOps. This will then attract a lot more talent to cyber security to help bridge the skills shortage.
Thank you gentlemen. To wrap up, can I ask you for your one top tip for how to start the security first adoption?
Mike: Shift their thinking from cybersecurity as a cost to a savings in the form of reduced downtime, decreased business interruption and long-term protection of their brand and customer relationships. Explain to them how much cheaper and easier it is to integrate good security practices from the beginning rather than bolting it on later as an afterthought, or put another way, preventing ransomware from impacting is always cheaper than cleaning up ransomware that has crippled the organization.
Amol: Businesses should ask the security practice what the threats are and understand them thoroughly. Include security as a critical aspect similar to performance, scale and efficiency from the get go. They should also hold the security experts accountable to ensure the threats are real, and the analysis is pragmatic because perfect is the enemy of good. Lastly, the businesses should ensure the security recommendations don’t cripple the day-to-day life of end users or add too much friction to the business.
Additional Resources
Source
Why Your Business Must Put “Cybersecurity First” is written by Mike Sentonas – Amol Kulkarni for www.crowdstrike.com
