Making security stick often seems to be about two things: baking it into products and processes, and making it everyone’s responsibility. Security awareness among end users is growing. This is partly because the way we educate end users about security has evolved.
Leading organisations now educate users on how to remain personally secure, knowing this investment in safety at home will have a positive flow-on effect for behaviours in the workplace as well. While education is a successful, long-term risk reduction mechanism, organisations can increase their chance of success by making security at work as usable and frictionless as possible.
This comes down to how well we bake protections and controls into the products and services that people need to do their jobs. Several methodologies are currently in use to address this problem. Baking security into software development is currently the domain of SecDevOps and its variations.
In Australia, Telstra and Macquarie Group are known proponents. By 2021, Gartner predicts SecDevOps will be embedded in 80 percent of rapid development teams. SecDevOps grew out of the common complaint that product security often runs behind the pace of product development, with code ready to hit the market before security professionals can sign off that it’s watertight.
Thanks to the increased speed of releases that DevOps and Agile enables, it's a problem that product teams are now running up against more frequently. SecDevOps is designed to ensure that security is inescapably baked into the product development process. It 'moves security left', bringing it into the software development process at an earlier point, rather than simply addressing it later in the process.
If security is a priority when software is being built, not just when it’s being released, companies are likely to end up with completed products that don’t need IT teams to retrofit security before they can hit the market. SecDevOps has another benefit. Just as traditional DevOps forces developers to be more responsible for supporting their code once it is released (rather than leave it to operations), SecDevOps encourages security staff to be actively involved in solving security issues thrown up in the development process, rather than simply identifying them and leaving them for developers to fix.
It also encourages security thinking upfront, contributing to efforts to make good security hygiene the responsibility of every member of staff. A second strategy used to bake in security is ‘Secure by Default’ or similar. Britain’s National Cyber Security Centre characterises this as products and services that have “the best security it can without you even knowing it's there, or having to turn it on.”
“Secure by Default covers the long-term technical effort to ensure that the right security primitives are built in to software and hardware,” the centre says.
“It also covers the equally demanding task of ensuring that those primitives are available and usable in such a way that the market can readily adopt them.”
This kind of strategy is mostly targeted at hardening end user devices - like smartphones or smart home technologies - and to ensure the default security settings in applications are not too relaxed. But the principles also apply in an enterprise context as well.
Ten years after public cloud first appeared, configuration (or misconfiguration) of in-built security protections and controls remains an issue. One only has to look at the frequency that misconfigured cloud storage buckets led to data leaks in 2017 to see there is still room to make enterprise security settings more usable (and the experience more frictionless) by default.
Clouds themselves are often secure, but whether people usem securely is another question, Gartner said recently. “Most cloud security incidents involve avoidable customer misuse of the cloud service,” Gartner said.
However, at the same time, “most cloud use scenarios remain a tacit agreement between the provider and customer to avoid awkward questions about user activity and responsibility”, Gartner said.
Cloud services often prioritise ease of use at the expense of “discipline or governance” that would otherwise slow projects.
There is certainly a case for security settings - and thinking - to evolve in this space in order to get the balance right. Whatever strategy is chosen to advance security and embed it into organisational culture and output, having a dedicated person internally can help keep everyone and everything on track.
Installing a security champion is one way to drive the agenda forward. Security champions are members of other teams that are sufficiently up to speed with security issues, but not necessarily from a pure security background. Their job is to recognise the points at which it’s a good idea to call in the security experts to help out with thorny problems.