The App Economy is streamrolling along and has the very legitimate potential to rewrite so much of how businesses use technology. Uber obliterated Yellow Taxis, Pandora and Spotify has all but made FM radio irrelevant and streaming video has forced TV and movie theaters to sit in the back seat.
But here's the frightening part: Security has also been demoted. Consider a recent study where, according to Dark Reading: "Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance. Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster."
We are seeing a similar lack of security focus with the Internet of Things, although the reasons are a bit more complicated for IoT. Part of this problem comes from the remarkable speed of growth for the App Economy. Even Amazon recently got caught cutting back on its app testing.
The truth, though, is that security and apps don't have to be rivals for corporate resources and attention. IT must get comfortable with dealing with both, which will require compromises. To be clear: One compromise that is unacceptable is diluting security protections. But can security operations be more accommodating of apps without undermining their role as chief protector of a company's assets? Absolutely.
Much of the conflict between the two is the natural result of a lack of communication and cooperation. When the app team takes their development all the way through and then gets the change requests and/or signoff from every constituent (marketing, various germane line of business managers, even non-IT C-levels) before contacting Security or IT, the trainwreck is inevitable.
Security asks for privacy/data-protection changes and the appdev teams resists because the project is 99 percent complete. This casts security as an outsider blocking progress.
What if it happens quite differently? What if Security is involved at the very earliest stages, before any coding happens? That way, their suggestions could be made at that earliest stage and it doesn't require anyone to redo work that has been approved by a dozen people.
This is all about making Security a key part of the process. That simply organizational/structural change could allow security to be dealt with, but at dramatically less disruption to anyone. App Security doesn't have to equal friction—unless the app team chooses to make it happen that way.