Thursday, February 18, 2016

Dr StrangeLove (How I Learned to Stop Worrying and Love Managed Services),

Convergence of data, economies, supply chains & critical infrastructure and it all needs to be secure...welcome to the Internet.
As a practitioner in the software development and security industries for over 15 years, I've got to say it has never felt like a job. For people to like their jobs it's a blessing, particularly as my skillset is in demand. 

Demand is based on need and  given the proliferation of internet technologies for literally anything (finance, military, energy, mobile, IoT) is does not see to be getting any less busy.

As with anything if there is a demand for something there comes a tipping point. Be it energy, clean water, food security or even Internet security. 

As a result there are some knock-on effects and many are the result of a capacity to deliver.

Given so many different industry verticals are all converging into a single approach to delivery (the Internet) the responsibility of securing such a global machine is only getting more demanding.

Early Warning Signs 
  • A shortfall of experienced cyber security experts is expected to reach 1,000,000 by 2019
  • PWC recently did a survey in which  only 26% of companies said they have adequate staff.
  • Consultant driven security assessments (penetration tests) do not map to contemporary software or system development methodologies.
  • Consultant driven testing is not scalable for any agile organisation is prohibitively expensive if full coverage is required on a regular basis.
  • Risk & Vulnerability intelligence is not consolidated by default.

As with climate change, the approach to solving the Internet Security challenges of the future won't be addressed until people are told "There are no more [resources]".

Concerns and how to improve security posture:

In 2015 a Questionnaire via the WEF World Economic Forum - hyperconnected world
posed the following questions:

"What actions that your institution could take would have the most impact in reducing the risk associated with cyberattacks?"

  • 38% said "Develop deep integration of security into the technology environment to drive scalability" is a "game changer".
  • 57% said "Prioritize information assets and related risks in a way that helps engage business leaders" would have significant impact.
  • 55% said  "Deploy active defences to be proactive in uncovering attacks early" would have significant impact. 

From the responses above amongst others the idea that consultant driven vulnerability management, penetration testing / security assessment and point-in-time approaches to securing a business don't work, are not scaleable.

The above can be considered a business case for engaging with managed services in order to provide the scale, frequency, visibility and accuracy required in the every changing landscape that is the Internet.

The adoption of managed services shall continue to increase as organisations understand:

  • the need for an "adequate level" of security to mirror development / devops
  • it is a necessary operating cost of any business.
  • approaching security in an ad-hoc manner shall not solve anything.
  • metrics are required in order to engage the business of the value of security.
  • security needs to be Integrated at many levels in a business and its associated systems.