Every time a major security breach strikes, people are outraged by what they feel is the negligence and carelessness of the company responsible. “How could they possibly allow such incompetence? The CISO and CEO must be fired!”, the outrage goes. In many ways, they’re not wrong: The cybersecurity situation in many companies is outrageous. But it’s also important to understand the full scope of the challenge many organizations face to keep their operations and websites secure.
Many people use analogies to cars and houses when discussing security, but in reality, the security of a modern organization is akin to securing an entire city. You’ll need the equivalent of a police force, a private-security team, a SWAT team, managers, architects, locks, gates, cameras, sensors, rules and regulations, inspectors, assessments — and much more. This cyber-city, though, is built out of hundreds of millions of lines of code across thousands of applications, with tens of thousands of software components, all connected through a complex morass of networks and gateways. And this software city is expanding rapidly. In 2017 alone, the world will create 111 billion new lines of code.
It’s easy to look at the cybersecurity skills shortage—the shortage in skilled workers who can solve these problems for companies–as the primary cause. However, while we do need a lot more people involved, simply throwing resources at the problem is never going to be enough. This challenge is all about working at scale, and people don’t scale very well. You can’t secure a city simply by hiring thousands of police officers. Similarly, we’re going to need a variety of people, processes and technology — all working together — to address our security challenges.
We need to focus on simplifying the problem and approaches that will scale. Here’s a start:
- Simplify defenses: Complexity is the enemy of security. So, to the maximum extent possible, centralize your security defenses with simple, proven, effective controls. When every project uses a different approach, it’s impossible to scale assessment and protection.
- Deliver micro-training: Kill “security exceptionalism” by getting feedback directly to engineering and operations teams through the tools they are already using. Developers don’t generally learn by instructor-led training or eLearning that needs translation to be actionable. By delivering feedback on their actual work the results are more effective.
- Demolish security bottlenecks: Many security tasks are performed by a small team. With increasingly rapid software development and deployment, these teams can easily become bottlenecks under intense pressure to deliver faster, thus lowering quality. Distribute security work to developers, testers and operations personnel to the maximum extent possible.
- Explode, offload, reload: We have to simplify architectures to make security easier. Don’t create a culture that haphazardly builds software and pastes on security later. Ed Amoroso, founder and CEO of TAG Cyber, has sagely proposed that we should take advantage of the move to the cloud to demolish our old perimeters, move workloads to standard platforms in the cloud and protect each workload with new modern defenses.
- Remove experts: The vast majority of security work is basic blocking and tackling. Security experts should seek out force multipliers through both staffing and automation. Look for any opportunity to remove security experts (whose valuable time can be freed up for other essential projects) from the critical path of delivering systems and leverage their skills through security as code.
- Create multiple roles: Many folks think security is a hyper-technical, expert-only field. However, the fact is that security requires great management, oversight and support. You’ll need a team that can span both development and operations across a variety of environments. Be sure you build a cybersecurity team with the full range of skills to be successful.
- Adopt DevSecOps: Almost every company is at some stage of their DevOps journey. DevSecOps—the idea of embedding security controls and processes into the regular DevOps workflow–isn’t just about jamming legacy security activities into DevOps. Instead, think of DevOps as an opportunity to redefine the work of security and deliver it with your normal development teams.
As you can see, realistic approaches to the cybersecurity skills shortage aren’t about training a gigantic cyber army. That’s very unlikely to succeed. Instead, we need to focus on working smarter, simplifying security challenges and leveraging experts better. We have to solve this problem quickly because, in the post-Equifax era, companies are literally betting their business on their ability to build a great security team.
By Jeff Williams, CTO and CoFounder of Contrast Security, working to ensure every app and API is instrumented w/ vulnerability assessment and attack protection. This post originally appeared on Forbes.