All security practitioners know the Security Absolutist. It’s the practitioner who has a plan before the context, is unapologetic in their approach to security, and is unwaveringly confident in their solution. Seemingly always frustrated with the current state of security in business and consistently angry at why “people can’t just…” the Security Absolutist is a pained and frustrated individual, but we can help.
Security Absolutism is a dangerous game, constantly creating conflict and boundaries with have-to’s and no’s. Seeing a true absolutist in the wild is probably a rarer occurrence now than in days past, but whether we’ve seen it come from within ourselves or witnessed it on the grand stage, it’s still out there.
Introduction: Beyond Tech—The Need for a Well-Rounded Approach
It’s no wonder we gravitate towards easy results, easy metrics, and a no-nonsense approach. Application security has been marketed as an exercise of buying tools, following over-hyped buzzwords like DevSecOps, ZeroTrust, Secure Automation, and Shift Left while showcasing immediate and measurable value in a space where the best program has no results. This isn’t to say that these buzzwords started out that way. In fact, I’m a huge fan of all of these concepts. If you’ve fallen into the trap of hopping on the latest tool because the marketing finally got you, or your friend said it was the best thing since metasploit, it might be time to adjust your perspective. The complex digital landscape of today demands a multifaceted approach to security that transcends mere technical fixes and an eye towards pretty dashboards (although they certainly help with those tough conversations). In this blog post, we'll delve into how incorporating human-centric strategies, adaptive thinking, interdisciplinary collaboration, and balanced compromises can help tackle modern security challenges effectively.
The Human Equation: Elevating Security Through Empathy
When it comes to security, we often get stuck in the quicksand of technical details. Consider the human factor. Understanding the people and processes that constitute the environment you're securing is vital. This isn’t just pontificating about people, process, and technology though. It’s about taking the time to sit down with all of your constituents across departments, listening to what they need, listening to what their frustrations are with the current state of security (even if you built it), and truly incorporating these elements into your security strategy and decisions. Doing so allows you to design security measures that aren’t just bolted on but are integrated into the organizational workflow and serve as an enhancement to the business. By putting people first, we make security an inherent, valued aspect of the system, rather than a burdensome blob of incoherent tooling.
Reframing the Problem: A New Lens on Risk and Compliance
If you’ve ever deployed a tool that never gained full traction, or is serving just a small number of applications or systems and you’re still checking the relevant box on your framework of the year (I’ve been there) then it’s time to look inward. We all know It’s crucial to understand the 'why' behind each security measure, but we often fall into the trap of pressure and deadline and move the needle. Starting with a tool first mindset, or using “what you used at your last job” can drastically exacerbate this problem. Thinking beyond the bounds of standard protocols and regulations, we can open doors to creative and effective solutions. Employing data-driven risk assessments allows us to zero in on real-world scenarios rather than improbable what-ifs, ensuring resources are allocated where they make the most impact. The key is to solve the problems of the people around you while securing them by default with the right combination of tools and processes (or lack thereof) for them. In this way you arrive at compliance through great security practices, rather than focus on compliance as an achievement.
Tear Down the Walls: Importance of Cross-Functional Collaboration
Security as a team and practice shouldn’t be a fortress, closed off from the rest of the organizational landscape with administrative credentials and unfettered access to the world. It's not just the job of the security team but should be a collective effort involving multiple departments. Sometimes, this can often go to the other extreme of focusing on “Security is Everyone’s Responsibility” and landing in a place where no one is truly focusing on defending the organization. At the end of the day, the majority of us do what we are incentivized to do, and while we can share the responsibility of an organization, it is up to a team dedicated to this defense of that organization to foster the coordination and collaboration of an effective program. A collaborative approach means we can leverage the expertise and insights of diverse teams to develop solutions that align with broader organizational goals. Security, in this context, becomes an organizational responsibility rather than an isolated function, enhancing overall effectiveness and buy-in. We are in a consistent state of being under budgeted, under staffed, and overworked, but the solution isn’t necessarily in head count. It’s in effectively leveraging and working with the people around you to fill the gaps.
The Fine Line: Balancing Compromise and Security Excellence
The term 'compromise' can be a touchy subject in security circles. However, it’s not necessarily a bad word when viewed through the lens of holistic security. We need to make well-considered trade-offs that align with our overarching security objectives, applying layered defenses and best practices. I want to be clear, the trade off isn’t in your security objectives, it’s simply steeped in how you achieve them. This helps create an ecosystem where operational necessities and security imperatives can harmoniously coexist, avoiding unnecessary risks while still achieving organizational goals and in some cases surpassing them.
Conclusion: The Future is Holistic
The age-old belief that security is purely a technical discipline is obsolete. In today’s complex landscape, it’s essential to have a 360-degree view of security that takes into account the human element, adaptive thinking, and cross-departmental collaboration. By embracing these elements, we're not just defending against vulnerabilities; we're transforming our organizations into resilient, adaptable entities ready to face the challenges of tomorrow.
Ken Toler is a dedicated security expert with over a decade of experience in application, cloud, and blockchain security. Working with a wide variety of organizations, Ken has sharpened his skills in hacking web applications, crafting software security programs, and developing resources to empower software engineers.
Ken is passionate about fostering collaboration and founded the "Relating to DevSecOps" podcast to bring teams together. His aim is to bridge gaps between engineering and other business units to create a more cohesive and collaborative work environment.