A recent survey of business and technology leaders in the United Kingdom, entitled "Business and Economic Consequences of Inadequate Cybersecurity," highlights the pervasive thought that cybersecurity, regardless of its ability to manage risk, is a detriment to innovation.
While controls will almost always stifle innovation in some way, CISOs must investigate ways to minimize this impact and turn around the idea that security is always bad for innovation. While there are a number of methods for automation and streamlining the security process, a paradigm shift toward a DevOps solution may be the best option available.
The new report from the Centre for Economics and Business Research (Cebr), in conjunction with Veracode, asked cybersecurity-related questions of over 200 UK business leaders. While the entire survey is worth reviewing for any CISO, one result in particular deserves special attention.
According to the report, around 50 percent of C-level executives and 70 percent of CTOs believe their current cybersecurity policies block innovation in some manner. When broken down further, the research shows 29 percent of CEOs and 25 percent of CIOs believe this block is of a small extent, while 20 percent and 25 percent, respectively, believe it is of a moderate extent. For CTOs, half believe innovation is blocked to a small extent, while 20 percent believe it is blocked to a moderate extent.
Given the modern realities of cybersecurity, this presents an interesting conundrum. Security is important not just to the health of a company's internal systems, but also to the overall revenue of a business as a whole, as the direct costs and brand impact of a significant breach are more than most businesses can handle. However, C-level executives are reticent to do anything to stifle innovation, given the importance of moving forward in today's marketplace.
For CISOs, the goal is to make the security solution as light as possible, while ensuring it still performs the task it's supposed to. This may seem obvious, but given the numbers presented in the Cebr survey, many CISOs have a long way to go to make this a reality.
One of the best first steps toward a streamlined security solution is an investment in security automation. This not only ensures policies are enforced uniformly across the enterprise, but it will provide stability for those employees who have to work inside the barriers presented by the security solution. Automation will also make it easier for software development teams to ensure new or upgraded applications have the necessary security controls built in.
Security solutions also have to be viewed against the processes of a given business as a whole, to see how they will best fit within existing processes. This can be done as part of a complete review and update of business processes, or as a more isolated review by the security team and a handful of process experts. Conducting this review will enable security teams to find ways to integrate security in the least disruptive manner possible.
Even after these steps, the structure of many software development teams may make it difficult to find ways to inject security into the development process. Traditionally, security checks and control are performed during the QA process at the end of the development lifecycle, but anyone who has spent time in development knows how often this phase can be truncated — or even cut out entirely.
A shift toward DevOps offers a long-term solution to this issue, in which changes to software are made by small teams in very short increments. Instead of one large release every few years, multiple small releases are completed every few weeks, or even days. Then, when utilizing DevOps, the operations team works side by side with development, ensuring the system remains stable and efficient during this continuous delivery.
On top of all of DevOps's other benefits, CISOs can work more effectively with development teams to help them shift how they approach security. By using automated tools and efficient workflows, developers can inject security controls and tests into the earliest parts of the software development lifecycle. As developers begin to take ownership of security, it will begin to be seen as just another aspect of a complete development, rather than a third-party check that acts as little more than a release blocker.
Because of the significant mind-set changes that must take place, the transition to DevOps presents the perfect opportunity to change how development handles security measures. These kinds of changes will help businesses manage risk; when implemented correctly, they'll do so without creating an undue burden on the rest of the business and being seen as a detriment to innovation.
Want to learn more? Check out Cebr and Veracode's entire survey.
Photo Source: Flickr