We all know the cliché, “IT security teams always say no!” but what does it mean for security to be a business enabler? The answer is to be proactive. This means being on the front foot, having all the controls in place to manage innovation risks and freeing up the business to explore its goals. Understanding and managing innovation risks are extremely important but often given little attention by reactive Information Security teams until they are called to respond to an incident. A common industry example of innovation risk is taking shortcuts in the cloud due to time pressures or knowledge gaps, leading to cloud misconfigurations and exposure of sensitive data.
Let me demonstrate by sharing some examples of proactive security in my current organisation, a UK insurer going through a digital transformation.
Driving behaviour with near real-time KRI dashboards: Not every vulnerability or misconfiguration is the same. Some carry more risk than others and simply looking at the vulnerability or misconfiguration severity provided by your scanner to prioritise work will completely overburden your development teams. Apply your own logic on top of scores from your vulnerability tools by considering if the asset is in a production environment, reachable from the internet, exploitable or will become exploitable (EPSS), processes sensitive data or is mission critical. Have visual dashboards to measure your KRIs at Exec, Tribe and Squad levels with different buckets for your SLAs. For example, a severity 1 bucket for production vulnerabilities or misconfigurations severe enough to be fixed within 24 hours. A severity 2 bucket for 7 days, and so on. There is nothing like a KRI dashboard to drive behaviour, particularly if this is visible to the risk committee!
Reducing user friction: Imposing a significant burden on the end-user experience to maintain security will soon force end-users to bypass controls and result in complaints. A simple example is password expiry. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user, and costs are associated with recovering accounts for the Service Desk. Regular password changes do not improve security so use SSO with MFA to reduce user friction and maintain security simultaneously.
Leverage zero-trust to mobilise the workforce: In today's world, business users must work from any location, including occasional risky public wi-fi hotspots. Good segmentation between end-users and critical assets in the data centre, plus the ability to respond to end- user threats immediately when they arise, will provide flexibility for the workforce to work from any location. Many businesses still use traditional client VPNs, which have caused ransomware to propagate from end-user devices to critical assets in the data centre.
Replacing these with zero trust private access will reduce the attack surface to just the web applications the user needs for their role, eliminating the exposure of risky ports and protocols.
Weekly security architecture triage surgeries: There is nothing worse for a security team than shadow IT, a new solution going live without any security engagement. Formal governance, including design review boards, has its place but needs to be more convenient
for product owners to present their solutions. In an agile workplace, we have informal surgeries for product owners to walk through their proposals to the Information Security team, ensuring we get insight and provide feedback into new initiatives early. Tight engagement between product owners and security architecture is essential in our organisation.
Break glass solution for production support: The utopia is for everything to be fixed through a deployment pipeline. Occasionally, Developers need access to production data to fix an incident. Use automation, such as an access broker, to grant privileged access for a limited period to resolve an incident. This prevents large numbers of accounts with standing access to production data, making detecting and responding to suspicious activity much easier.
Drop-in appointments for new starters: A Developer can have many years of experience but are uncomfortable admitting they are less skilled in secure development practices.
Examples of insecure practices include pushing sensitive code to public repos, including secrets in source code, passwords in slack channels and a lack of awareness of web applications' most critical security risks. Have each new Developer spend an hour with a DevSecOps lead to show them how to use the deployment tools and set their expectations regarding security practices. Developers appreciate being shown how to get up and running quickly, and it’s a great way to find out if any new starters need more education than others.
In summary, Information Security can enable the business through a digital transformation by being proactive and having solutions to manage innovation risks before security incidents materialise. Having tight engagement and proactive solutions reduces friction for most users and third parties, freeing the business to explore its goals. If Information Security defaults to a reactive stance, this will result in more risk, more incidents, or a slow pace of the transformation.