Security Concerns (Part 1)
The most frequently mentioned concerns about security revolve around talent/training, complexity, and lack of strategic thinking.
Join the DZone community and get the full member experience.Join For Free
To understand the current and future state of the cybersecurity landscape we spoke to, and received written responses from, 50 security professionals. We asked them, "What are your concerns with the state of security management?"
Here's the first of two sets of concerns:
- Data protection. Software and hardware protections are in place, but the staff is not properly trained to protect the data. The soft side of security is the training of people and process. These are not regularly tested and updated. People are exposed to phishing attacks that they are not prepared to recognize. They install rogue software on the system. Process, procedures, securing people with soft security with training and updates is critical.
- Application security, in general, is usually something that was a developer area of focus and is now a security issue. Security teams need better education with regards to security threats and APIs. Developers need to be more conscientious about developing secure APIs with the OWASP top 10 for APIs.
- Everything is reactive versus proactive security theater. There are a significant skill and experience gap with little knowledge about effective countermeasures and what the vulnerabilities are.
- The lack of consistency makes organizations easy targets — and the lack of qualified individuals to fill the predicted growth in the industry is concerning.
- Security management is struggling to keep up with new technology that is so easy to adopt. Environments are now multi-platform and leverage new services that may be procured outside of normal processes. The consumerization of IT and public cloud providers have made it easier than ever to add new systems very quickly, which leads to shadow IT and misconfigured resources that are exposed publicly on the internet.
- Security is too complex by an order of magnitude. Security management has gotten to the point where you need a large team continuously operating and running different things. There are a lot of point product solutions. Individual solutions do one thing well but don’t integrate with other solutions. Companies have an average of 42 different enterprise security products in their environment. It’s a nightmare trying to get them to work together well. One version gets out of date and needs to be updated. Vendors haven’t tried to delight their customers. Life is hellish for customers. Security has been a step-son for everybody.
- There are so many aspects and they are constantly changing. The percent of the time is spent on regulatory requirements is absurd. The concept of risk management is non-existent. People take risks on things the practitioners look back and don't know what they were thinking. How do you accept a risk that you understand but you are not fixing?
- When you try to think about the challenges of handling so many moving parts that are changing constantly due to the continuous delivery culture. The security management of that and controlling and understanding the blast radius requires a completely different approach to how you deploy a security management tool and what are your incidence and response practices around it.
- When it comes to the state of security management there are a few concerns that keep me up at night including 1) Overlapping claims: Too many vendors claim they have a magic wand to solve security problems. CIOs are getting bombarded with emails every day from vendors claiming they have the next-gen solution. Proofs of concept can only go so far and are limited in scope, so when a customer really needs something, or they have been breached, then the vendor will say ‘it’s not in scope’ and then they are left with a useless solution. Or, the feature they need is on the roadmap and isn’t live yet. 2) Growth of the attack surface: Business expansion has created an almost incomprehensible number of endpoints that serve as attack vectors for breaches. This means that while SIEM became the norm for historical security data, attackers began to use all available data, not just security data. SIEMs can no longer handle the volume of structured and unstructured data available to the security operations center. The landscape has changed: all data is security data. SIEMs are an important piece of the puzzle, but you need more. 3) TCO was prohibitive, until now: The cost for centralized log management solutions to log all data can be astronomical based on the high levels of machine data digital businesses are generating. To keep costs in check, businesses generally keep one or two weeks of historical data in their logs, and back the rest up to tape or another backup storage type. The problem? You can’t threat hunt tape. However, some tools today deliver full capabilities at a much lower cost, so you don’t have to let cost constraints compromise your security.
- Too complex. Way too many moving parts, variable, data. Lose the primary focus of reducing risk and not running a good security program. Finding qualified people is challenging. You still need security experts within your program. You can only automate so much. It’s OK to partner with an MSSP.
- The only real concern is it is too complicated for people to understand the message they are receiving. We are moving to a world where the software will deal with it for you. Too much reliance on humans to under quickly enough to take the right actions.
- 1) Today’s analysts are overwhelmed — almost numb with the number of data/alerts coming at them. 2) Leading analytics are saying in some cases — only 4 percent of the alerts today are being investigated. 3) There is a community of bad guys- there needs to be a community of good guys that work together in more effective ways.
- 1) One concern is when organizations apply security measures created for a different era of computing to try to solve current problems. For instance, tools meant to protect private data centers are woefully under-equipped to manage the security problems that clouds or hybrid environments face. 2) Additionally, the attack surface for companies has increased significantly. Whether it’s increased network topology across multiple clouds, access points, CI/CD platforms, public records, and the like, the amount of information exposed or that has the potential for exposure has increased significantly.
- It’s time to acknowledge that we can no longer rely on passwords to secure access to sensitive data systems. Enterprises should look for ways to extend multi-factor authentication to all their sensitive systems. New solutions can now enable them to protect any system without requiring any software agents, proxies or special integrations. In addition, there is a need to continuously evaluate risk levels and step-up authentication requirements when risk levels are high, to ensure only authorized personnel can access our sensitive systems and data.
- The largest issue is still a lack of understanding of what realistic security for an organization is or should be. Fighting the war based on the battle is not a good proposition. After an organization falls prey to malware, e.g. a virus or ransomware, then the focus of security becomes all about malware. This lessons-learned approach may work in many aspects of life but has strange paradoxical consequences in regard to security.
- Difficulty and false positives and ineffectiveness of what’s going on. We’re putting tons of money into security, but not smart security. So the CISO is getting a lot of budget but also a lot of false positives. We need to do a smarter job of protecting the right information.
- Organizations rarely seem to understand how to practically employ security management approaches to best reduce their cyber risk. Identifying assets (cyber key terrain) and developing the knowledge of the dependencies among them in an organization is a fundamental skill of security managers. It is required if you want to quantify and reduce cyber risk. Security management professionals need practical training in this area to apply their knowledge effectively.
- The interchangeability of compliance and security. Compliance should not be viewed as interchangeable with security best practices. Far too often, the boardroom and executive teams link these two disparate disciplines, which result in greater vulnerabilities, inefficiencies, and expenses. Security can no longer be a “checkbox” exercise. Instead, security leaders must define priorities (and shift existing priorities, if necessary) that promote securing the most vulnerable technologies in their portfolio. This may require educating senior leadership on the way in which compliance-focused security strategies leave different parts of an organization exposed and can impact business success in order to get buy-in. Ultimately, every dollar invested in security should be used to deliver protection, not checking the compliance box.
- We have a lot of really good tools to solve specific problems well, but for most organizations, we’re not doing a good job bringing all of the tools together. We need consistent security policies and a mechanism to bring all information together so that the decisions being made are being driven by the knowledge from the different tools. We need to be able to bring all of the tools together to leverage so the data can be used in a consistent manner. Better orchestration of the different tools so they are working together to accomplish the same goals.
- DevSecOps – siloed security team, based out of a different office than the engineering team. People haven’t met and don’t have shared goals. When you integrate it, then it’s not some guy somewhere, it’s a teammate who’s in the same standup every morning.
- Developers outnumber security professionals 100:1 and they’re empowered to ship software on their own at high velocity. It’s difficult for any security team to manage. Yet, many security teams seem to be overly focused on extremely sophisticated, nation-state level threats when in reality the vast majority of risk is found in much more common attack vectors and avoidable vulnerabilities. Focusing on certain “low hanging fruit” can deliver a lot more value to most organizations.
- 1) One pressing concern with the state of security management is the lack of a comprehensive and robust asset management program. Asset management is one of the most critical pieces of any organization’s security strategy, and without it, you are simply making guesses or flying blind when it comes to getting an accurate read on your security posture. If you don’t know what assets are lurking in every corner of your environment, from your endpoint devices to your employees’ mobile phones, to some rogue development server tossed up by a team with good intentions—how can you know their current vulnerability exposure or actual risk to your infrastructure? The reality is that you can’t. You’re just making assumptions. Of particular note for organizations is having a great BYOD plan, by either requiring employees to install tools like MDM on their devices that connect to your network resources or creating a tightly segmented piece of your network that doesn’t allow access to key areas inside your environment. 2) Another common mistake is allowing “exceptions” to become the rule…and not the exception! How many times have IT or security people received a call from someone in a high position demanding access to something risky? How often do business units inside the organization “go rogue” and deploy a shiny new cloud-based tool or service without proper vetting or approval of the IT or security teams? There’s no argument that tools like cloud storage, cloud processing, and SaaS solutions can be incredibly valuable and offer tremendous benefits to teams—that’s not the point. But if you approve every single exception request, allow every single tool to be used, you create new holes and blind spots in your organization—especially around vulnerability management. Keeping all of these clients and endpoint software agents up to date is no small feat even when you know they’re there…trying to keep on top of patching for things you don’t know are there? I wish you all the luck in the world. 3) Lastly, another concern revolves around getting executive buy-in. Thankfully times have changed for a lot of companies as CEOs all over the world are paying attention to cybersecurity—some out of fear of becoming the next major news headline or being beckoned before Congress to explain their failures, and others out of a deeper understanding of the importance of cybersecurity. But, while executive-level buy-in is often present now, what is sometimes missing in the equation is the support from operational divisions below the C-suite to implement the changes required to actually deliver on security. The message from the top floor to “get it done” doesn’t always make it down to the trenches or is often ignored by teams. There are still many business units inside organizations that “don’t have time” to make the priority changes or cultural shifts required—code needs to ship, widgets need to be manufacturers, the business can’t stop. At the same time, the C-suite develops a false sense of confidence thinking that they’ve provided the budget and given the green light for changes to be made, unaware that, in reality, very little has changed, until the phone rings at 2:00 am with the bad news.
- At a time when agencies and news publications are capitalizing on fear-mongering based on the latest event-driven headlines, there is danger in basing security purchases and strategies purely on the latest security fad. New tools and technologies constantly enter the security market. While these tools are interesting, security leaders have to provide the most security value they can – increasingly in terms of quantifiable risk reduction — across their entire organization. What I suggest, instead of chasing headlines, is to adopt technologies that have gained recognition from security thought leaders and influencers for their ability to reduce risk and increase a company’s security posture. One place to look for direction is the Center for Internet Security (CIS), which provides a list of top security controls. This includes what they call “controlled use of administrative privileges” and we call privilege access security.
Please see part two for more thoughts on security concerns.
Here’s who shared their insights:
- Josh Mayfield, Director of Security Strategy, Absolute
- Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
- Steven Aiello, security and compliance solutions principal, AHEAD
- Gadi Naor, CTO and Co-founder, Alcide
- Omer Benedict, Senior Director of Product Management, Aqua Security
- Tom Maher, CTO, Asavie
- Gaurav Banga, CEO and Founder, Balbix
- Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
- Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
- Anurag Kahol, CTO, Bitglass
- Syed Abdur, Director of Product Management and Design, Brinqa
- Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
- Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera
- Brian Kelly, Head of Conjur Engineering, CyberArk
- Doug Dooley, COO, Data Theorem
- Jason Mical, Cyber Security Evangelist, Devo Technology
- OJ Ngo, CTO, DH2i
- Tom DeSot, EVP CIO, Digital Defense, Inc.
- Chris DeRamus, Co-founder and CTO, DivvyCloud
- Alan Weintraub, Office of the CTO, DocAuthority
- Tom Conklin, CISO, Druva
- Anders Wallgren, CTO, Electric Cloud
- Satish Abburi, founder, Elysium Analytics
- Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
- Ambuj Kumar, Co-founder and CEO, Fortanix
- Josh Stella, co-founder and CTO, Fugue
- Kathy Wang, Senior Director of Security, GitLab
- Amith Nair, VP Product Marketing, HashiCorp
- Mike Puglia, Chief Customer Marketing Officer, Kaseya
- Nathan Turajski, Director of Product Marketing, Micro Focus
- Gary Duan, Chief Technology Officer, NeuVector
- Gary Watson, CTO and Founder, Nexsan
- Stephen Blum, CTO and Co-founder, PubNub
- Chuck Yoo, President, Resecurity
- Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
- Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
- Igor Baikalov, Chief Scientist, Securonix
- Oege de Moor, CEO and Co-founder, Semmle
- Dana Tamir, VP Market Strategy, Silverfort
- Logan Kipp, Technical Architect, SiteLock
- Albert Zenkoff, Security Architect, Software AG
- Tim Brown, V.P. Security Architecture, SolarWinds
- Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
- Tim Buntel, VP of Application Security Products, Threat Stack
- Andrew Useckas, Founder and CTO, ThreatX, Inc.
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
- Robert Hawk, Operations Security Lead, xMatters
Opinions expressed by DZone contributors are their own.