Rapid7 CEO: Rethink IT and security organizational structures
- 13 September, 2017 20:20
Companies are under constant pressure to innovate in today’s fast-paced business environment. That might mean creating a better product, improving efficiency, or creating a better customer experience. Unfortunately, the security function tends to be separate from the innovation process or, worse, after the innovation has created a new vulnerability.
That problem will persist unless companies rethink their organizational structures around IT and security. That’s the message that Rapid7 CEO Corey Thomas is delivering in his keynote today at the company’s United2017 event in Boston. He believes that IT and security teams can work together effectively to innovate, create a better user experience, and adopt new technology without increasing the vulnerability surface.
Thomas sees security and IT functioning separately in most organizations. “Siloes are killing the organization,” says Thomas in an exclusive interview with CSO. “Breaking down the siloes and engineering automation solutions to solve some of the persistent vulnerabilities is a solvable problem.”
Why is security often an afterthought?
Organizational siloes that keep security at arm’s length don’t work. How many times have we seen these stories play out?
- Company X releases a new, innovative product that meets with some initial success. Later, hackers find a vulnerability that could have been easily addressed during the development process. Company X scrambles to fix the problem and salvage its credibility.
- Company Y rolls out a web application that collects customer data. Weak authentication allows data thieves access to customer information. That’s when the security team learns about the app’s existence.
- Company Z migrates key data to the cloud. IT manages the migration but does not adequately involve security. Key questions go unasked, and as a result, improper configuration leaves the data exposed.
“The prevailing assumption is that you innovate first and add security later,” says Thomas. “People believe that security slows down innovation. They also don’t necessarily know the right security vectors, and there is a small kernel of truth to that.”
Thomas adds that it is assumed that any new technology you create will have some unforeseen vulnerability. He believes the way to address that is build update mechanisms into the technology. “By doing that you improve the long-term security of the technology as well as the user experience.”
“We live in a technology system that is highly fragmented. Security is best addressed if you have a holistic, integrated view of both the environment and the assets,” says Thomas. “Organizational structure that’s dominated by a siloed view of the world and siloed operations creates not only a negative IT user experience, but also a poor security experience. Functional siloes are the primary reason that organizations get complaints from so many of their users about the experience they’ve created, and why you have so much finger pointing.”
How should IT and security work together?
IT and security clearly need to work well together, but that will be difficult if they don’t understand each other. “It is impossible to have both IT and security function well without each having the context of the other,” says Thomas. Just passing security vulnerabilities “over the wall” to the IT team in an inefficient process that no longer works, he adds. Thomas cites organizations having success embedding security in core operations. “You see some success in the devops world where some innovators look at how they build security into the development process.”
“Security cannot be successful separate of IT. The ability to have an integrated view and apply security and IT operations closer together is key to having success,” Thomas says.
Thomas believes that communication and collaboration between IT and security are important, but cautions against seeing that alone as a solution. “In some ways, [focusing on communication and collaboration] is a distraction, because it gives in to this notion that you can treat security as an appendage,” he says. “I can have IT processes that are inefficient and don’t work. I can have escalating vulnerabilities in my environment because my attack surface continues to expand as I deploy technologies faster than I manage them. And it’s fine because I just need to communicate technologies that are deploying into the security team.”
“If you have not designed a process that allows you to update and maintain secure technology as it’s deployed, even if you communicate, you’re still going to be behind. Communication and collaboration are absolutely important, but they are not the root cause of the problem.”
What can an integrated IT/security organization do to foster innovation?
In his United2017 keynote address, Thomas lists four skills that an integrated IT and security organization needs to excel at:
- Mastery of data is required to understand the environment, the service experience, the risk profile, and identify attacker behavior.
- Mastery of user and customer experience is about understand not just the needs of the organization but the type of experiences that make those needs not just achievable but highly likely.
- Mastery of integration is the realization that we don’t create experiences from scratch, but rather extent, leverage, and from other products and services
- Mastery of automation is about developing the capacity to manage and maintain systems that expand and morph at fast rates.
“This is a very different set of skills than what our organizations thrive at today,” Thomas said in his keynote address, “but many of our society's biggest challenges have demanded that we think differently and try new approaches.”
He notes that the same data used to troubleshoot an environment from a security perspective—collect log data, do forensics across the environment, identify what applications and users are affected—is the same data used to troubleshoot performance issues or which of your assets need to be updated. “An integrated view of the environment will ensure that you have the right data to serve all those domains well,” Thomas says.
Thomas encourages security professionals to find opportunities to participate in the innovation process. “Innovation tends to happen in clusters. The extent to which you have people on that journey together really matters,” he says. “Security has done a good job of that historically.”
Two other opportunities for security professionals might be more of a challenge. The first is generating and contributing to data mastery and organization. “Lots of security practitioners tend to create their own data siloes, which contributes to lack of mastery of information and data that’s so critical with the types of challenges that we face,” says Thomas. “Security practitioners can very much contribute and engage here."
Second, shift focus to addressing root causes of security problems. “Poor management practice and technology management practices are the root cause of so many security vulnerabilities that organizations have,” says Thomas. “That can be addressed through better engineering and automation processes around updating, configuring, and controlling the environment.”
Thomas doesn’t see any company operating with fully, holistically integrated IT and security yet, although a number are on that path as they question some of the foundational assumptions they have about how they operate and organize their technology groups.
“It’s repeated events that change behavior,” says Thomas. “Most people throw technology at [security problems] for a while, and then something really bad still happens. That’s when they do a reassessment. That’s how some of the early movers in this space start to experiment with different ways in how they run and operate their technology operations.”