Hackers love traditional security. So do your competitors. Want to ruin their day? Forget what you know about how faster development increases risk. If your approach to security is slowing you down, it’s only a question of which you’ll lose faster — your data or your customers.
To begin, let’s agree on one fundamental principle: In the era of DevOps, agile, and the cloud, survival depends on speed. If you’re not first to market with the innovations today’s customers demand, there’s no second prize. The need for business agility has driven a wholesale transformation of IT infrastructure across every industry — now it’s not just scrappy startups embracing the cloud, but large companies like HSBC and Liberty Mutual as well.
The need for speed has also transformed the way we build software. Quaint metaphors like waterfall development have given way to the fast-paced choreography of agile and DevOps, where code flows from imagination into production around the clock. You’d think this breakneck pace would come at the expense of security — but not necessarily. In reality, speed can be the best thing that ever happened to your risk profile. Here’s why.
Slow security is no security
Traditional security was effective enough in its day. Before releasing a new version or patch, you spent a few weeks or months scanning your code for vulnerabilities and tuning your firewall to detect attacks without a barrage of false positives. It was a big investment of time and money, but when you had a year or more between major application releases, you could afford both.
Now, digital transformation has enabled a culture of continuous delivery. The most agile companies now push code to production 50 to 100 times every day, and even relatively sedate digital businesses rarely go a week or a month without a release. Central to the philosophy of DevOps is the idea that fast is better than perfect. If winning the time-to-market race involves a few production glitches here and there, it’s not the end of the world—as long as you can fix them in real time. Unless security hits the brakes, that is.
Let’s say your website has a logo that isn’t rendering correctly or a form field that’s too short. It’s just a little tweak — surely security can allow a quick fix, right? No such luck. With the legacy tools and processes in place today, even an emergency patch for a newly discovered vulnerability can take weeks. And DevOps teams don’t like to wait. That’s why they started spinning up their own servers from AWS instead of enduring endless IT workflows. With IT out of the way, the biggest brake on agility is now security — and that makes it the next problem to be routed around. It’s hard enough maintaining security when people try to follow the rules; when they’re actively avoiding them, you have a problem.
A multi week wait for an emergency fix does more than just annoy DevOps teams. A widely cited report found that more than 70 percent of attacks exploited known vulnerabilities for which patches had been available.
Better security looks a lot like DevOps
It’s ironic, right? Many people see DevOps as a threat to security, when in reality DevOps provides a pretty good model for the direction security needs to go. If your approach to security is built around 18-month release cycles and you find out about a new vulnerability or attack, your organization just isn’t engineered to respond quickly. To close those windows of risk before you get hit, you’ve got to extend the agility of your DevOps team to security. That takes collaboration, flexibility and scalability.
The first step is to break down silos between DevOps and security. Developers and operations staff need direct visibility into security tools so they can understand what needs to be fixed, and in what priority, as quickly as possible. That’s especially important given the dire talent shortage in security — you can’t let things pile up on the few security experts you’ve managed to hire. It also means ditching heavyweight security tools that call for a small army of full-time babysitters.
Just as the cloud makes it easy for developers to provision servers in an endless variety of configurations, you’ll want to allow plenty of choices for how and where security technologies are implemented. The typical enterprise environment now encompasses a mosaic of on-premises and cloud resources, a few more silos from acquired or merged companies, and endpoints accessing systems and data through every kind of network connection. Infrastructure-agnostic technologies are as important for security as they are for DevOps.
In this context, scalability means the capacity to handle large volumes at high speed. To get more out of the expertise in your organization, develop a community of practice around security — a group of people who share a passion for problem-solving and want to deepen their knowledge by participating actively in security efforts. And don’t limit your security talent to the experts on your own team — use bug bounties and disclosure programs to entice white hat hackers (and grey hats too) to find your problems for you.
Real-time security for all-the-time protection
The fundamental shift we’re talking about is making security a real-time, every day part of an agile IT culture, not something that happens on its own timeline, disconnected from the urgencies of digital business and rising threats. Security fixes are pushed out continuously in the same flow as the rest of your code, reducing your attack surface and shrinking windows of vulnerability.
Just as importantly, security is no longer a brake on your business. While DevOps is modeling a better approach for security, security is ensuring that DevOps won’t increase risk for the organization. The two go together hand-in-hand — and they help your business as a whole maintain the agility and ongoing innovation it takes to win in the digital economy.