Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/30/2016
10:00 AM
Kevin O'Brien
Kevin O'Brien
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Rise Of SecBizOps & Why It Matters

By aligning security dollars and technology with core business requirements, infosec can become a business enabler, not a business impediment.

The term "DevOps" was popularized in 2008 in reference to the cultural movement that emphasizes collaboration and communication between software developers and IT leaders while automating software delivery and infrastructure changes. The goal of the DevOps movement was to break down the informational silos to make software development, testing, and releasing faster and more reliable. 

Eight years later, we have found that the DevOps movement must be expanded to incorporate the growing importance of cybersecurity. We are now in the era of "SecBizOps" – a crucial next step in protecting sensitive information from increasingly advanced and destructive cyberattacks.

The widespread adoption of cloud services over the past five years has driven a populist shift in the business technology landscape; as organizations flock to the cloud and embrace productivity-boosting tools like mobile corporate messaging and email platforms, business apps have become increasingly democratic, empowering a rapidly expanding base of ordinary users to communicate and collaborate with ease. This growing transfer of business activities and data to the cloud has given rise to the demand for SecBizOps.

SecBizOps applies the DevOps philosophy to breaking down informational siloes between IT and departments like finance, marketing, and sales. The goal is to natively integrate a frictionless information security strategy into user workflows - one that complements rather than conflicts with technology-centric security investments.

Furthermore, SecBizOps uniquely tackles today’s toughest IT and cybersecurity challenges, namely:

  • Supporting always-on employees and their systems;
  • Supporting mobile devices and BYOD: the always-on access to critical business infrastructure results in the disappearance of a concrete perimeter; 
  • Improving user experience: the increase in technology’s use and ease of use brings with it greater UX expectations. If security is too complicated and requires too much deviation from their usual workflow, employees will find a way around it;
  • Protecting employees: the rise of social engineering/non-payload attacks means that just securing systems isn’t enough anymore. Organizations must secure humans as well. 

Why SecBizOps Matter
In this environment, IT and security teams must work together to make cybersecurity strategies integrated, automatic and visible to the business users themselves. However, many of them do not know how to do this effectively.

The key to stopping cyberattacks is not more tools but adopting a shift in mindset instead. One of the trends we see is that bolstering detection capabilities is more effective when coupled with automated response capabilities and preventive controls that inform and guide behavior rather than prohibit users from working. For the average end-user, security should be front and center, but only when security is relevant.

Security awareness training also needs to be re-tooled. Instead of simulating false attacks, IT and security teams need to find better ways to alert users in the moment that they are exposed to real ones – and give them the tools to get involved and help make a difference in their own security.  

As part of this evolution, IT and security teams must keep in mind that SecBizOps is a cultural shift and not yet another tool that promises more than it delivers. Our current outdated mindset has spawned IT leaders investing billions in perimeter-based security solutions and training, despite the near-complete erosion of the traditional perimeter as we know it. These integrations are complex, highly expensive, and ultimately ill-suited to address the most effective low-volume, hyper-targeted types of attacks that we see today.

Tom Shultz of Gartner Research pointed out at last year’s Security and Risk Management Summit in London that the paradigm for training, behavior-shaping, monitoring, and employee-enabling technologies will shift as organizations respond to a technological landscape that embraces cloud services, mobile access to corporate messaging and email platforms, as well as growing freedom for employees to use technology in new ways.

Getting Security to "Just Work"
This shift puts SecBizOps on the front line of enterprise security because users – especially non-technical users - increasingly expect security to "just work." In other words, security that is timely, comprehensible, and minimally obstructive will be effective; security that impedes business will not.

But adopting SecBizOps is not as daunting as one may think. First, security and IT teams should take a risk-management approach to their entire security landscape. By implementing security where it will have the highest return-on-investment — for example, by identifying the types of risks that most often lead to large or frequent breaches or loss within your industry or across the market as a whole, and addressing those areas first — it is possible to interweave security into the systems that most need protection.

The simple fact is that nobody really likes security except security professionals. By aligning information security spend and technology with the core business requirements of the business, it becomes a business enabler, rather than a business impediment. As one CISO put it in a case study we performed some years ago, this alignment of need and technical capacity is akin to "getting out of the business' way, but ensuring that the right protections are in place to keep it on the right path even as its speed increases."

The technological landscape will change, first and foremost. What we see today as the systematic set of interaction points between executives, trusted partners, and vendors (email, chat, CRM, web, social, etc.) is incredibly dynamic. One of the challenges for a SecBizOps-aligned team is thinking not in terms of point solutions for technologies, but rather in terms of the hub-and-spoke model of infosec. 

This is a view in which data (the hub) is accessed by myriad platforms and products (spokes). Security that exists at the center of the model and protects against types of threats becomes a scalable center, whereas products that focus on the deficiencies or vulnerabilities of spoke-level technologies is commoditized at best, and distracting at worst.

We see the foundation of a SecBizOps approach to be around securing against deception-based attacks. Two years ago, the term was "targeted attack protection," which doesn't adequately convey the character of the kinds of threats that business users face from attackers in the wild. Instead of thinking about targets, SecBizOps looks at tactics, and informs a security approach that aligns to those tactics more directly than in previous generations.

Related Content:

 

Kevin is GreatHorn's CEO and Co-Founder. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and is a frequent speaker and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TriSqueri
50%
50%
TriSqueri,
User Rank: Apprentice
12/2/2016 | 9:51:16 AM
Awesome!
Awesome article, Kevin!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.