To flip the security model, start with "yes"
Returning home after a week-long trip to Las Vegas, I had the opportunity to reflect on some of the news that came out of the Black Hat and DEF CON security conferences. The annual Black Hat conference began with a keynote speech from Dino Dai Zovi, head of mobile security for Square. Opening with a simple title, “Start With Yes,” Dino was able to communicate both the root problem with security today and the not-so-simple solution.
“Start with yes” is such a novel and powerful idea. In any situation—attempting to get a phone number at a bar in my college days or convincing a prospect that my solution is the best fit—saying “no” effectively ends the conversation. “Would you like to learn more about why we’re the best in the industry?” No. “Can I buy you a drink?” No. “Is the XYZ SaaS service working well for you?” No.
While saying “no” ends the conversation, saying “yes” keeps it going, fostering collaboration and an environment in which people believe they are being heard. Having that open and honest communication is the best way to support the change and advance the progressive initiatives in which are we are all engaged.
After all, organizations must embrace digital transformation or risk being left behind.
What do Blockbuster, The Good Guys, and Sears Roebuck have in common? They were household names just 10 or 15 years ago, but they did not make the pivot to the digital world where Netflix, Amazon, and Target did.
Another change is that IT security has become a boardroom discussion for most organizations. The positions of the CIO and CISO are relatively new compared to the traditional CEO and COO roles. That’s because data is quickly becoming the new currency. A company’s most valuable assets are not the dollars in a bank account, they’re the data in a data center or cloud storage facility. If an attacker drains a bank account, there is insurance to protect the company. However, if the secret formula for Coca Cola, the eleven herbs and spices in Kentucky Fried Chicken, or the cutting-edge manufacturing process for Intel chips, customer lists, or source code were stolen, those companies might never recover.
New C-level positions and IT security organizations possess incredible strength and responsibility to secure an organization’s data and assets. But security must include meeting user needs and, in general, people want choice (or at least the illusion of it). IT is often branded as the organization of no. Can I use Dropbox? No. Can I use a Mac? No. Can I do work on my personal phone? No. Surveys show that employees are much happier when work policies are flexible. The good news is that security does not have to suffer as a result.
In his presentation at Black Hat, Dino outlined three transformational ideas to change the security culture in today’s organizations.
- Identify the job to be done and work backward
- Seek and apply leverage, with continuous feedback loops
- Culture trumps strategy and tactics every time
The first idea is to identify the job to be done and work backward from there. Dino cited a marketing study from the early 2000s commissioned by McDonald’s as it was attempting to boost milkshake sales. The company started by changing its recipe to no avail. An astute marketing researcher noticed that milkshake sales spiked before 8:30 a.m. and by drive-through customers who ordered nothing else. He began asking people why they were buying the milkshake (instead of asking what could be done to make them better). It turns out that young males would buy a milkshake before a long commute to work because it was easy to eat and would last the entire commute. McDonald’s was trying to solve one problem—improve the taste to expand sales—when customers were buying the milkshakes to keep them occupied on a long commute. When McDonald’s reframed the question, they made milkshakes thicker, added fruit chunks for a bit of surprise, and made them more accessible inside the restaurants, and sales skyrocketed as a result.
Reframing the security conversation also allows organizations to achieve their goals without sacrificing productivity. When security understands how other teams work and what they are setting out to achieve, more efficient and narrowly tailored methods can be used to secure the way the teams work.
Backhauling branch office traffic to a regional data center or requiring full-tunnel VPN for inspection achieves security goals but increases friction and is an utterly inefficient method for user productivity. Allowing local breakouts and direct-to-cloud access without sacrificing security will satisfy both security teams and employees. As companies adopt more SaaS and IaaS, the backhaul problem will become worse and local breakouts will become inevitable. So start with yes. Yes, you can work from home and go direct-to-cloud. Yes, you can have access to internal applications without needing to think about VPN. Yes, you can securely work from your personal phone or tablet.
The second transformative idea is to seek and apply leverage. It is no secret that good security people are hard to find, hire, and retain. At the same time, IT security teams are being asked to do more with less, which requires more efficiency through automation and outsourcing to maximize security impact with minimal effort. Salesforce built its entire value proposition on the “No Software” advertisements in the early 2000s. Now that software is in the cloud, teams within an organization can work on other tasks more important than updating, maintaining, and patching software.
With the explosion of SaaS and IaaS, it is a natural evolution to also have security delivered as a cloud service. With cloud-delivered security, it is always on the latest version of the software with the latest security updates—without administrator intervention. Security teams can leverage the cloud and free up resources to perform other mission-critical tasks rather than looking after physical appliances in the data center. The addition of machine learning and artificial intelligence scales security’s effectiveness when delivered as a cloud-hosted service. Automated feedback loops must be purposefully added to the security process to understand if the protections are working and to ensure the job identified in step 1 is completed.
Lastly, between culture, strategy, and tactics, culture trumps all. Culture encompasses the values companies promote and how employees interact and communicate. Without a shift in culture towards accepting security, technical controls still fail despite the best-laid plans. Security teams are not outsiders anymore; they work in units now with the ability to improve things from the inside. Security is everyone’s concern, and building security responsibility in every team will allow it to scale. Compared to the traditional model where security IT teams are viewed as outsiders who pounce on any opportunity to phish a fellow employee and shame them if they fail the test, security teams should view and treat themselves as extensions of other internal teams.
Dino is advocating changing security through a cultural transformation while organizations themselves go through their digital transformation. More forward-thinking organizations will tend to embrace the cultural shift towards security, and I believe that they will be rewarded for being agile just like Netflix, Amazon, and Target. The time has come for IT security to shed the reputation of the department of no and embrace the future. As organizations digitally transform by increasing their consumption and migration of SaaS and IaaS, they have an opportunity to also transform security by moving it to the cloud. Change is coming and it must be allowed to happen to ensure an organization's survival. Security is no longer the sole responsibility of one team; it is the responsibility of all employees at an organization.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler