Corporate security experts need to emerge from behind their physical cubicles and their digital firewalls to ensure that new technologies don’t create new vulnerabilities that could threaten their jobs, according to two executive-focused panels Monday at the RSA cybersecurity conference in San Francisco.
Firms often fail to implement security measures amid their transition to the cloud, or when they implement the accelerated software production strategy known as DevOps, because security leaders fail to communicate with other departments, panelists said.
“Because [new tools] are enabling business in a more rapid fashion, CISOs need to figure out how to turn security from ‘the business of no’ into something that enables functions,” said Kurt Hagerman, an executive adviser at the consultancy firm Coalfire. “You have to tie the value of your security program to the business. And that’s a skill a lost of CISOs today lack.”
Too few companies have leaders who work together effectively, as evidenced by the number of data breaches originating at misconfigured cloud servers, according to Rich Campagna, chief marketing officer at cloud security vendor Bitglass.
A security researcher last month announced that a Dow Jones database containing information on high-risk individuals had been left exposed on an unsecure Elasticsearch server. Before that “there were dozens of stories about insecure infrastructure made by basic misconfigurations by well-intentioned developers who were trying to enable their business,” Campagna said.
Such data breaches could happen for any number of reasons, though stronger ties between security and development teams could usually help remedy the problem, experts said.
The same issue is becoming a problem for security teams watching as their developers shift to DevOps. Rather than producing software code over a span of weeks or months that is audited before it goes live, DevOps engineers may write code, check it and push it into production within hours.
The speed of production helps businesses make more rapid adjustments to their websites, applications and software, but also could introduce risks.
“Nobody wants to go out and make unsecure code,” said Anne Marie Zettlemoyer, vice president of security engineering at MasterCard, who added that developers are not educated on security during their training. “We know that’s not part of their curriculum, so we need to engage with them to enable that with as little friction as possible.”