This post was previously published on The New Stack
Want Real Cybersecurity Progress? Redefine the Security Team
The state of cybersecurity today is, in a word, catastrophic. Breaches have become endemic. Not only do they continue at dizzying rates, but they are actually increasing in frequency by the month.
Why are things so bad? And why do businesses seem so helpless to make them better?
Those are complicated questions without simple answers, of course – but I believe that a major part of the answer has to do with the fact that, at most organizations, security remains the domain of elite security teams. Unlike many other functions, which have been “de-siloed” or even “democratized” across the business, security remains the mission primarily of security engineers and analysts alone.
If businesses want to see progress on the cybersecurity front, they’ll need to change this state of affairs by making security a collective responsibility. Here’s why and how.
What’s Not Solving Today’s Cybersecurity Challenges
Before discussing why collective responsibility for security is the key to making real progress in the war against cyberattacks, let’s first observe which cybersecurity solutions are clearly not working — at least not on their own.
To be clear, I’m not suggesting that any of the resources or practices described below are bad ideas. They have all helped organizations to cope more effectively with security threats. Although, they haven’t definitively solved our pervasive cybersecurity challenges.
Today, the typical security team has an extensive set of fancy tools at its disposal. From SOARs, SAST, and DAST to CSPM, threat intelligence databases, and beyond, modern security teams can leverage a litany of tools and resources that, for the most part, didn’t exist a decade ago.
These tools mean that security experts have a greater ability than ever to automate threat detection and remediation, secure software supply chains, hunt for threats, and so on.
Yet, the attacks continue.
DevSecOps and Shift-Left Security
New security philosophies — above all, DevSecOps and the closely related concept of shift-left security — fall into the same boat. Over the past five or six years, the DevSecOps concept has encouraged security engineers to collaborate more closely with developers and IT operations teams, leading to a partial de-siloing of security.
That’s great. DevSecOps makes good sense. Here again, if DevSecOps were the key to cybersecurity success, we should be seeing better results by now. In reality, the opposite has happened. Although something like 70 percent of developers have embraced DevSecOps and shift-left security, their organizations are more likely than ever to be breached. As DevSecOps adoption has surged, so has the frequency of cyberattacks.
You could draw similar conclusions about compliance. Compliance mandates designed to protect digital privacy have grown considerably stronger over the past several years, with new regulations like GDPR and CCPA/CPRA coming online.
Although for many businesses these laws may have spawned more secure data management practices, the overall state of cybersecurity has only gotten worse since these regulations have taken effect. Here again, we’re not seeing real progress.
A New Solution: The Shift to Collective Security
The strategies described above share one trait in common: they all leave security mostly in the hands of an elite security team. No matter how many security tools a business buys, how far left it shifts security, or how many compliance rules it enforces, security operations still remain the realm primarily of security engineers and analysts (perhaps with just a bit of help from developers and IT Ops teams at businesses that take DevSecOps seriously).
That fact is part of what makes the concept of collective security so innovative. It fundamentally breaks a mold that has been in place for decades: the mold that forces a single team to “own” security across the entire business, leaving little opportunity for stakeholders who are not security experts to contribute to security initiatives.
By shifting to a strategy in which security is everyone’s responsibility — and, just as important, where everyone has the ability to define security rules and validate resources without having to know how to code or use sophisticated security tools — businesses make it possible for everyone to understand the state of cybersecurity in their organization, as well as to help enforce cybersecurity standards.
That’s not to say that the cybersecurity team should go away. On the contrary, placing security into the hands of everyone only makes the cybersecurity team more important and more valuable. It frees security engineers to focus on truly complex problems and to get the very most value out of the complex tools that only they know how to use. More mundane security tasks — like configuring line of business tools and services to integrate with security scanning or defining security governance rules for a particular business unit — can be handled by “ordinary” users, with no development or elite security skills required.
In short, cybersecurity is still in a broken state, and the solutions we’ve tried so far haven’t even managed to hold the line. We need true innovation, like empowering everyone in the business to drive security operations instead of placing that burden in the hands of an overworked elite security team.