I recently attended the Gartner Symposium ITXpo in Orlando, with nearly 10,000 other CIOs and IT leaders. It was an exciting week with conversations concentrated around the future of technology, advancement in healthcare, machine learning, augmented intelligence, cybersecurity and privacy.
Most strikingly, in each session and in nearly every individual conversation I had, there was a running, consistent theme: Digital Transformation.
No matter the size, scope or industry of their organization, nearly every individual I talked to at the event was either already embarking on or planning for the journey of digital transformation. This even included people from departments in the public sector that have been especially inundated with legacy systems and processes.
At its core, Digital Transformation is a mindset. It's about transforming process and culture. The transformation is fueled by the adoption of Cloud, DevOps and Automation. It is a shift from centralized systems, waterfall development and functional teams to distributed computing, agility and shared responsibilities.
Why? The why that drives the decision to tackle such a large, complex change should be substantial. It should be impactful. Why do established, profitable organizations invest millions of dollars and thousands of hours into a painful change that seemingly leaves them exactly where they were when they set out? Because of where it allows them to go with the most important measurable outcome: the customer experience (both internal and external).
With digital transformation ...
- External customers experience better products, faster.
- Internal customers (employee and developer) experience the freedom to work anywhere on any device, to choose the best tools, empowering them to experiment, fail fast and innovate.
That is why digital transformation matters.
So, what does this mean for the security and compliance industry? Where are we in our digital transformation journey? Security was built on the concept of walls (layers of defense), stringent processes, separation of duties and the confinement of systems and restrictions to users. It is the anti-customer experience.
My week at the Gartner conference reminded me of my first-hand experience at Fidelity Investments. I was the head of software security for Personal Investing, an organization within Fidelity that had gone through a massive transformation to become a digital technology company first, and a financial services firm second. Personal Investing was obsessed with better customer experience, and wanted to compete with the Fintech disruptions. As part of the transformation, we started distributing the responsibilities of security. We moved the task of security from a wholly centralized enterprise functional team, to the technology organization within the business unit, and then eventually to each individual scrum team. We started "digitalizing" security control points, traditionally enforced by people and process, into code via automation.
Security and compliance need a digital transformation. But how do we accomplish this?
Keep it simple. Keep it open. Keep it going.
You don't need a large number of commercial tools and solutions, an army of consultants or an encyclopedia-worth of manual processes to build a complete and sound security operations and compliance program.
First, assess what you do have and focus there.
- If you are using AWS, G Suite, GCP or Azure, you likely already have a good set of cloud-native controls at your disposal, including capabilities like single sign on (SSO) and multi-factor authentication (MFA).
- Or the Config and GuardDuty services in AWS.
- And of course, the correct usage and configurations of your VPCs and Subnets, Security Group rules, and IAM policies.
Next, look for gaps.
- Or `OSSEC` for host-based intrusion detection.
- Or `osquery` to easily instrument your user endpoints for visibility and configuration compliance.
Remember, the goal is to make your security controls work efficiently and effectively together, not to buy the best out-of-the-box product.
Every time you add a tool, you introduce new complexity and cost (both in resources and time). This increases the likelihood of new gaps and risks in your overall security posture.
Complexity makes it easy for attackers to hide their tracks. Simplicity makes it easy for you to spot them.
You want to embrace a culture of transparency in your organization, where security policies and operations are discussed and enforced openly rather than behind closed doors among just the security team. You want your entire technical and engineering team to have direct visibility of security events, alerts and vulnerabilities so that they can more effectively help with remediation. Otherwise, security teams are just "in the way" of security.
You want to engage your users, not distance them. You want to empower your users to help you in the effort to maintain security, not turn them against you.
Your security policies should be easy to understand for anyone in the organization, and the procedures should be simple to follow. Find ways to say "yes" to user requests of access to technology and applications. This keeps the requests front and center and the organization innovating. Saying no too often leads to your users actively avoiding you in the process or finding ways to bypass the controls that you thought were protecting them.
Embracing openness also means you should get external, crowd-sourced help. For example, you can have a responsible disclosure or bug bounty program so that users and white hat hackers can proactively and responsibly inform you of any security findings before they become a breach. This is almost more valuable than typical once-a-year external penetration testing.
Being secure at one point in time only matters for that point in time. It means nothing for your organization's future. The goal, instead, should be a reliable, scalable, on-going security operation. To do that, you must rely on automation to build security into your DevOps pipeline and your business processes, and to continuously monitor and instrument your environments and controls.
In a digital organization, changes are quick and constant. If your security operations cannot keep up, they go from being gatekeepers to bottlenecks and quickly get left behind, pushed aside or simply forgotten.
Security operations, very much like agile development, need to iterate and continuously improve.
Simple, open, continuous.
Now, that's how digital security is supposed to be.
This is how we built the security and compliance program at LifeOmic, a digital-born, cloud-native technology company. We take a data centric approach to managing risk and information security. For example, we leverage technologies like multi-factor authentication and the assume-role capability in AWS to establish on-demand temporary access. We develop lots of automation to create an immutable deployment pipeline with automated change approvals. We rely on the ephemeral nature of cloud resources to constantly keep our environments up to date while dramatically reducing the possibility of persisted attacks and limiting the blast radius.
Modern Cybersecurity Manifesto
The process was eye opening. The whole industry needs to wise up to the idea that it isn't about the tools or the rules or frameworks. It's the mindset that matters. The mindset is what can drag an organization to a halt when they could be accelerating.
This became our own modern cybersecurity manifesto: https://securitymanifesto.net.
You can check out more details of the top ten principles of our security architecture and operating model on our website: https://lifeomic.com/security.
- Assume compromise; but expose no single point of compromise.
- Track everything since you cannot protect what you can't see.
- Engage everyone for there is power in the crowd; two is stronger than one.
- Automation is key because people don't scale and changes are constant.
- Build products that are secure by design and secure by default.
- Favor transparency over obscurity, practicality over process, and usability over complexity.
We used this mindset and operating model at LifeOmic. With the model in place, combined with the automation that we built, we achieved base compliance in a mere three months and received a higher level of certification six months later. That is digital transformation for the security industry.
We did not stop there. We want other technology organizations and digital teams to experience security and compliance the way we have. Earlier this year, we released JupiterOne, aimed at simplifying digital security, by providing continuous instrumentation and monitoring of cloud environments and controls, as well as automated reporting and evidence collection for compliance.
We use JupiterOne as a single source of truth, a place where data is continuously ingested and consolidated, for anyone on our team to ask simple questions and get the right answers back about our digital environments, resources and controls.
Again — Simple, Open, Continuous — that’s how digital security is supposed to be. (aka the SOC for modern cybersecurity)
The digital transformation is coming. Are you ready?