- Phil Venables
Cybersecurity Macro Themes for the 2020’s - Updated
There will be 6 major themes that differentiate great security programs, products, features and processes. These are different from overall risk and control trends, rather, they are more about the way to develop and deploy controls - and represent a unified theme of folding cybersecurity into systems delivery.
I covered risk trends in a previous post. Control trends all center on continuity: continuous access assurance and least privilege, continuous software assurance and developer centric tooling, continuous and adaptive micro-segmentation / meshing, continuous control conformance monitoring, continuous anomaly detection and relentless processes to adapt control frameworks according to threat intelligence (macro and micro). But, it is becoming more important to consider how we deploy these, more than just doing so and walking away. The 6 themes, below, represent the needed evolution:
1. Software Security and Reliability
Security goals should be encoded in software, made available to developers as APIs, libraries, toolkits, or design patterns. This should be pushed as early in the design lifecycle as possible. While security has different properties compared to many other risks it should still be presented as a reliability goal and security be fully enmeshed within overall testing frameworks. Even though there should be some degree of independent oversight of security, as there should be for other risks, it is vital to embed security engineering expertise in development teams (developer centric security engineers, or developers with nurtured security skills). Tool integration becomes ever more crucial when you observe that software is increasingly being developed beyond the engineering teams. No-code/low-code, scripting, analytics, AI/ML and other modeling environments need even tighter embedding.
2. Usable Security and Ambient Control
The user experience of our tools, whether they are customer, employee, partner, vendor or engineer centric needs constant improvement. We need to embrace professional designers for critical components, not only to keep making the secure path the easiest (and default) path but also to create some, dare I say it, enjoyment in how people interact with security. However, we also need to recognize that the most usable security is that which simply blends into the background. Creating such ambient control is extremely difficult and can require going against much accepted wisdom, especially when it relates to training people to not do things that simply should never be offered as options or should have no dire consequences anyway because of controls surrounding our people and customers.
3. Controls as Code
We need to think of controls as code so we can do continuous control monitoring, controls assurance and move to provable security. I talk about this a lot, for a reason, that most bad things happen not because we didn’t foresee the need for a control but rather that the control we thought we had in place was not present or operational when we needed it the most. We need to understand what controls we should have, constantly monitor for their correct presence and operation. Then we can treat failures as control incidents irrespective of whether they become security incidents. We should reject controls (products or features) that cannot constantly emit evidence of their presence and operation - irrespective of whether they are otherwise an effective control. Further, we should apply higher levels of assurance to constantly validate the effectiveness of our most critical controls using formal proofs. Those of us with experience of cranking out formal validation on safety-critical systems back in the day should rightly be staggered by the advances made in tooling to support large-scale systems validation. The notion that formal methods don’t scale is going away and the impact on security, in the long run, will be profound.
4. Operational Resilience
This is not just another way of saying cyber-resilience. Rather, as described in this post this is taking a business service view of resilience across multiple risk types by considering more severe, but plausible, scenarios. New security controls implemented as products, features or processes must be used in support of defined operational resilience goals rather than increasing brittleness.
5. Adjacent Benefits
Implementing or sustaining a control that is effective is simply the start. It will be expected (if not outright demanded) that what we do also delivers one or more adjacent benefits, for example: reduce cost, increase efficiency, eliminate more than 1 prior product, increase productivity, reduce customer friction, break data out of silos while still preserving essential privacy properties, enable new business in new locations, permit products to launch that could not have previously been adequately protected, and so on.
6. Strategic Use of Suppliers
In the original version of this post I stopped at the 5 themes above. But, it has become clearer to me that there is one more prevailing, and massive, theme - that is how suppliers are used. Most organizations have never been able to meet all their own security needs and so have used products and services to augment their own capabilities. This is, of course, true beyond security. Many organizations are now an assembly of parts and services delivered by external suppliers and woven together through APIs. These services are typically cloud delivered (IaaS, PaaS, SaaS and more) and range from simple functions to whole business processes. The strategic differentiation in using such suppliers is not just centered on assuring security and resilience, though that is clearly critical, but rather how those suppliers are used to enhance the security of the organization. This could be as simple as sitting back and making sure you take every update they give you - tapping into their network effects. It can be the wider goal of how you (and others) drive suppliers to build in more controls and to work together to create new security capabilities. Even more broadly, the strategic use of a collection of suppliers working to achieve your risk mitigation goals can deliver orders of magnitude more capability than doing this yourself. Consider the ability to integrate the services (by API-driven control and data plane integration) of your identity/authentication, fraud monitoring, security services and compliance/trust reporting.
Bottom line: more is rightly expected of us as individual professionals and collectively as an industry. Our goal is not to further set ourselves apart but rather to further embed ourselves. Following these 6 themes - with some fervor - will point us in the right direction.