Applying security to operating models requires collaboration

Too many organizations have historically gone for speed over protecting their data and systems. It is not a decision of one or the other. It’s time to start asking, “How do we actually implement both? “

Continuing education in balanced development – the notion of speed and risk can be addressed simultaneously – is essential. Many organizations have embarked on this path, but they are at varying levels of maturity. However, advice is always useful regardless of an organization’s stage of development.

Security spending doesn’t pay off

When developing an operating model, organizations naturally focus on their business needs and how technology can meet those needs, not on security. Today’s cloud-based digital environment rife with mobile apps has forced organizations to focus on speed and delivering new capabilities – again, not security.

Many organizations use DevOps software development and a continuous integration / delivery pipeline. These tools quickly create new services, but without worrying too much about security.

As a result, C-level business leaders face a mismatch between their security priorities and the results of their program. Executives are willing to spend money on security, but reports come back to them showing technical merits rather than verifiable mitigation of business risks. The key questions about an organization’s risk relate to its resilience and ability to minimize the costs associated with breaches and insurance. Many of these questions often go unanswered.

A growing threat

The increase in increasingly sophisticated and damaging cyber attacks continues to reinforce this disconnect. Attacks on SolarWinds, Colonial Pipeline, and JBS exploited security vulnerabilities to target critical data and sectors.

Business leaders understand the importance of security and risk management – often a recurring topic on boards. Yet the evidence still shows that security is not really built into all organizations.

We know what to do; we just don’t know how to do it. A clear operating model to balance speed and security is lacking in the industry.

Organizations scramble to meet this challenge, but many find themselves working in the dark. Fortunately, industry groups are showing organizations how to integrate security into a digital business model.

Balancing development

Safety is traditionally seen as a technical activity. It has since become a fundamental business activity. As a result, a gap has developed between DevOps teams and the security needs of the business. Attackers focusing on business-critical data during recent high-profile breaches make this point.

Security in the development process must start at the top and involve all stakeholders in the areas of business and security. A security reference architecture will help companies assess risk by identifying their risk tolerance, highlighting gaps, and revealing what needs to be done from an investment perspective.

In general terms, an operating model shows how a system will operate from a process and integration perspective. A reference architecture reveals the specific elements that need to be considered from a skills and capability perspective. By aligning the operating model and the reference architecture, stakeholders can work together to truly integrate security into business operations.

Collaboration is the key

Groups and companies share information on reference architectures across the industry. Microsoft, for example, shares reference architecture use cases ranging from zero trust to cross-platform capabilities. The Industrial Internet Consortium supports projects such as a Common Reference Architecture for IoT. The DevOps Bookmarks site also offers a host of reference implementation tools.

No organization can do this work on its own. For now, standards groups and consortia are working tirelessly to educate and inform organizations. The future of a balanced cybersecurity model depends on collaboration between DevOps and security teams.

About the Author
Altaz Valani is the Director of Insights Research at Security Compass
. Prior to his current role, Valani was Senior Research Director and Executive Advisor at Info-Tech Research Group, providing advice on Application Development, Application Rationalization, Agile, Cloud, Mobile and Software Development Lifecycle. Valani is currently Vice President of the Open Group Security Forum, is a member of the SAFECode Technical Steering Committee, and sits on industry working groups at IEEE, Cloud Security Alliance, OASIS, and Object Management Group.

Source link

Previous Judge orders elderly woman with "full mental faculties" to sell land
Next How is the market? Tips for Selling Your Home Quickly - The Ukiah Daily Journal

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *