- Security isn’t just a technical issue; it’s an organizational and human issue, says Atlassian Chief Trust Officer Adrian Ludwig.
- To create resilient systems, developers and security teams need to realize their shared objectives.
- Personalize training so execs and team members understand how security risks impact their sections of the business.
- All security teams should prioritize addressing technical debt and reducing complexity in 2022.
David Balaban, a cybersecurity researcher and journalist, contributed the following article to Forbes.
The human factor is often thought of as a weak link in every organization’s security posture, and that’s a far cry from a misconception. Phishing attacks capitalize on “cognitive payloads” that dupe not-so-vigilant personnel into slipping up. Developers’ blunders due to time pressure or fatigue leave loopholes in code that play into attackers’ hands down the road.
This isn’t a complete list, but guess what? The gap between weaknesses and strengths isn’t that hard to bridge. In the organizational context, all it takes is a people-centric style of doing security in which empathy and frictionless teamwork play a crucial role.
Although this approach is a paradigm shift for many orgs, it’s attracting more and more aficionados across the IT ecosystem. Adrian Ludwig, the Chief Trust Officer at Atlassian, has advocated it throughout his bright career in security. He believes it will be key to building resilience in 2022, whereas boiling protection down to technical controls alone is a fallacy.
“We’ll begin to realize that security is not just a technical problem; it’s an organizational and human problem. As an industry, we’ve learned that it’s not enough to mandate security protocols and increase training. Instead, security teams will need to exercise empathy in order to better understand developers’ top concerns and motivating factors,” says Adrian.
Security is a shared responsibility
The relationship between security and software engineering departments in many companies is fairly strained. That’s because their goals and incentives don’t overlap; moreover, the interests of one team may be at odds with those of another. Developers prioritize creating systems on schedule and frown when the need to comply with security protocols prevents them from reaching critical milestones. Security staff, in turn, concentrate on minimizing incidents and are often overwhelmed with work to address vulnerabilities that software makers left behind.
This natural confrontation is risky business as it compels any organization into prioritizing low-hanging fruit. To avoid going beyond the point of no return, you need to build a work environment with empathy and seamless interoperability at its core. Security must “shift left” far enough in the development pipeline to make sure that the resulting code is both reliable and tamper-proof.
Ascertaining that security and engineering crews aren’t on different sides of the fence is half the battle. Set shared goals for them, create relevant incentives, eliminate collaboration barriers, and bring security scanning closer to software engineers. In this regard, Atlassian’s Chief Trust Officer says, “Security organizations need to understand developer behaviors and motivators to achieve resilient systems.” I couldn’t agree more.
The scourge of technical debt
One of the major pitfalls of failing to remove friction between security staff and developers is that the snowball of technical debt will continue to grow and may ultimately “smash” your organization’s resilience. For the uninitiated, this term denotes maximizing the speed of code delivery while temporarily sacrificing quality, reliability, and security. Postponing the implied rework indefinitely is a slippery slope.
Companies that don’t pay down their tech debt will only accumulate more security debt.
– Adrian Ludwig
Adrian considers this inconsistency to be one of the company’s top security challenges: “Tackling technical debt will continue to be an important security focus for us in 2022. Software development complexity can increase exponentially and, as an industry, we aren’t keeping up. Companies that don’t pay down their tech debt will only accumulate more security debt.”
To steer clear of a scenario in which technical debt becomes blown out of proportion, organizations need to give their security and coding practices an overhaul towards higher standardization and automation. “Security teams should automate as many repetitive and manual tasks as possible. Threat tactics are always evolving, so each eliminated manual step frees up headspace for your staff to focus on complex challenges,” says Adrian.
Complexity is a catalyst for most security problems
It’s easy to stay on top of security workflows and build consensus around cyber-attack countermeasures in an organization that has a modern, uniform digital environment. In a heterogeneous infrastructure with multiple crudely supervised components, this is easier said than done because you can hardly stay current with what’s running on your endpoints and servers. Technical debt and a low level of interoperability between teams can throw an extra spanner in the works by making things more complex.
During a recent panel about the future of security and resilience, Adrian made a good point on this subject matter: “90% of security problems are just complexity problems. It’s technical complexity, it’s network complexity, it’s organizational complexity. It’s a stasis that’s created as a result of that complexity and no one knowing what they can change without making the whole thing fall apart.”
Reducing complexity is also a strategic move that helps organizations leverage machine learning and AI to pinpoint anomalies that can be signs of malicious activity. These technologies work best in consistent environments backed by centralized digital asset management and well-tuned event logging practices.
Training is important, but with a caveat
Security training programs that are implemented for the sake of a checklist have a minuscule chance to make a difference and reach the minds of your employees. Personalized training is much more likely to hone security knowledge and skills aligned with a worker’s role in an organization and the relevant threat model.
For instance, rank and file personnel are less exposed to business email compromise (BEC) attacks than senior executives are, let alone whaling hoaxes. When an executive or team member is able to see how security risks could impact their specific areas of the business, it provides a powerful incentive to take security training seriously.
Frame things positively for high resilience
Employee motivation is an important building block of a secure enterprise territory. “I think the reality is that the reason that most security organizations are not successful is they’re not able to understand how to motivate the people that they need to drive change with,” Adrian said when participating in the above-mentioned panel.
He stresses that a prerequisite for proper motivation is to formulate requirements in a way that’s both attractive and advantageous to your teams. “How do we frame things positively? Rather than talking about you missing a deadline, how do we emphasize where you’re hitting a deadline? Because people respond more positively to positive feedback.”
This, again, comes down to empathy and close partnership. Be sure to make them the pillars of your organization’s security philosophy in 2022 if you haven’t already.
Get stories like this in your inbox