Monday, September 10, 2012

Do security like a start-up or get fired - Evolve

This is part of a blog series. For more details, start with the intro.

Evolving IT security teams


If you haven't heard of DevOps, you should do a bit of research. Roughly defined, DevOps is:
An emerging set of principles, methods and practices for communication, collaboration and integration between software development and IT operations. It has developed in response to the emerging understanding of the interdependence and importance of both the development and operations disciplines in meeting an organisation's goal of rapidly producing software products and services.
Re-think how you staff your operations teams or how you assign responsibilities. For example, you may want to re-invent the operations team to attract the best talent there. Believe it or not, I’ve been on an operations team and most of the time, we knew better than everyone else how to improve the system. In fact, we were given the authority to make those changes quickly, as long as we followed the proper development and change management processes.

Independent development teams rarely know how things run operationally. The other side of this is that the operations team rarely knows how something works, especially if they cannot inspect the code. The best development and operations teams are indistinguishable. Most start-ups work in this manner because they are resource constrained. It’s a happy coincidence that DevOps teams are more efficient and can do more with fewer resources.

From a security standpoint, this means all members of the development and operations teams must be security trained. How often have you run into production code that is insecure because the development team did not foresee an operational issue or condition? This also makes for more rugged software.


If you've never heard of the term or read the manifesto, there are a list of points but the two that jump out are:
  • I recognise that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • I recognise that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
Without understanding operations and security, it's very difficult for software to meet these two directives.


Another interesting trend is in the need for data scientists on IT security teams. For example, LinkedIn’s former CSO stated at the RSA Conference earlier this year that the security team includes data scientists and analysts to better analyse the information they collect. In IT security today, they are still a novelty rather than the norm. In the consumer space however, data scientists seem to be the "skill-du-jour" and have been used very effectively (in some cases, too effectively with extremely unsettling implications around privacy). But they may soon become a core part of every IT security team, particularly around forensics. We talk about the importance of actionable security intelligence. But what does this really mean? Sure, software tools can address some of the needs, but with more and more data being collected, we need data scientists to make sense of it all alongside the core IT security operations team. Together, they make up human-side of security intelligence, which is just as critical as picking the right technology.

Another CSO at the RSA Conference said the following:
"It is better to hire someone who is good than someone who is a specialist."
What he meant was that it’s better to hire someone with exposure to a range of things and has varied experiences, rather than someone who knows a lot about one niche area (e.g. cryptography). It is this exposure that will be key in keeping up with the threats we run into and have to adapt our systems for. Companies should look for all-rounders with exposure to multiple facets of IT security instead of hiring a team full of specialists in their niche area of IT security.


The major challenge facing enterprises is that the skills required to manage these changes are not easy to come by. Many of the skills required to handle the rapid changes occurring do not exist in the current teams within the enterprise. Teams will need to be trained in areas that may not exist yet. In addition, smaller, agile companies (e.g. start-up companies) possess more skilled resources than enterprises in dealing with the evolving trends organisations are facing in moving forward. The trick will be convincing these types of employees to join an enterprise. This is an almost impossible task in many cases as employees of smaller companies such as start-ups do not want to work for large enterprises due to the cultural difference and the perceived lack of innovation. To address this perception, change has to start from within.

Next up - Identity.

No comments: