The art of IT systems security
Those at the top need to build a culture of security that everyone in the organisation will understand instinctively. By Miju Han
If you are a director of security for your organisation's IT systems, it's your responsibility to create an environment that encourages security, making the day-to-day measures much easier for everyone.
But how do you create programmes designed to deliver security at the speed associated with software development and operations (DevOps)? How do you stay ahead of coding errors that can cause large amounts of damage? Do you share what you've learned with others or keep it secret?
The art of continuous security: "Continuous security" may seem like a strange phrase. Nothing is 100% secure. No one silver bullet exists that keeps all systems everywhere impenetrable. But that's not the main goal with continuous security.
Continuous security is a defined process that allows you to know what is happening in your environment and react quickly to it. It uses smart automation to make security the default. You make security an intrinsic part of your applications without stopping development teams from delivering quickly.
Your developers should understand basic application security principles.
Security in a software DevOps environment is often more an art than a science. There are concrete aspects, such as metrics to measure test coverage or policies to prevent rogue servers or buckets. But how much test coverage is enough? 70%? 80%? And who should have authority to create servers? All administrators or just a select few?
These are decisions that have to be made. You can get advice from hundreds of articles on the internet, but the final decision is yours.
The best guideline to use is your customers. What will it take to make sure your software is trustworthy? Your goal should be to build software your customers will trust. Often, "vanity metrics" or minimum thresholds only deliver minimum security. Being trustworthy takes much more than just meeting the minimum.
Build a culture of security: Culture is like the personality of a company. It's the operating environment of a company. Think of it as the values, mission and attitude of a company and its employees.
Security has often been a background process, like scanning for vulnerabilities or performing a vulnerability assessment before deploying to production.
That's not enough for continuous security.
Your developers should understand basic application security principles. They should be trained to understand exactly what processes exist and why. Allow them to spend time with the security team, learning what to look for and what applications look like through the security team's eyes. Allow the security team to spend time with the developers. Learn what security processes get in the way and eliminate them.
Give developers the freedom to experiment. Trust that they want to do the right thing, then verify. When mistakes happen, help solve the problem without placing blame or punishing whoever made the mistake. Instead, fix your systems so the same mistake can't be made again.
Make security worth something: Give a cash reward to the developer who reports a strange virtual machine running in the cloud or fixes a nasty vulnerability without the security team having to ask first. Reward the marketing employee when she reports a phishing email, even when no tests are ongoing.
Build security in as much as possible. Common security features, such as authentication and authorisation, should be built into reusable development frameworks. Build servers with automated scripts based on a known secure template. Make security easy. Someone should have to work hard to build an insecure system.
Introduce the entire company to what your security team does and why it's important. Fun events such as a security expo give you the chance to demonstrate what attackers can do if they succeed in breaching the company.
No one silver bullet exists to keep all systems impenetrable.
Show a day in the life of a security engineer or incident response engineer. Tell the security team's story, entertain your visitors. If it's memorable, you'll have less friction when you need to introduce new policies or standards.
Above all, make your customer the focus. Build your culture around delivering the best service to your customers -- not just keeping the lights on, but becoming trustworthy stewards of their data.
Building a culture takes time, but it's well worth the effort. Security has become everyone's job. Make security easy. Make it fun. Make it worth something.
Miju Han is director of product management at HackerOne, a "bug bounty" platform that connects businesses with penetration testers and cybersecurity researchers.