I’ve been involved with cybersecurity for a while. If you’d asked me ten years ago, “What would you rather be, agile or secure?” I would have thought it was April Fools’ Day. It would be like asking, “What would you rather be – a blond or a pole vaulter?” The relationship between business agility and security was not as well understood as it is now. Business was business. Security was security. They both moved at their own pace. Business wanted to make strategic changes over time but the concept of agility had not yet been elevated to its current all-or-nothing status. Security was serious but the threat environment was nothing like it’s become.
Today, the ability to be agile is one of a company’s highest priorities. CenturyLink is living this reality ourselves, having just announced the acquisition of Level 3 Communications. The deal signals a long series of strategic moves that reshapes our business. That’s the essence of agility – being able to change strategies or operations quickly in response to shifts in market conditions. For example, if you are a financial institution and you decide that selling insurance should be part of your business, the faster you can (competently) realize the ability to sell insurance, the sooner you’ll meet your strategic goals.
In this “get it done yesterday” mode, business managers sometimes get frustrated with the IT department’s tendency to slow down things down. Security in particular can delay changes in the underlying systems that power business processes. But the people on those teams are just trying to perform their primary function: keep systems running well and defend IT assets against cyber threats.
There is room for improvement, of course. To understand how a company can be both agile and secure, let’s first acquaint ourselves with some of the reasons that security tends to slow down agile business moves.
- Security is too important to rush – Threats are growing more severe and frequent. Business leaders want agility, but they also want and need the company to be protected against cyber attack. They want systems to be available. They want to avoid data breaches. In this context, it’s not fair to push the security team to move faster than they think is prudent.
- Security is part of a bigger picture that includes people, processes and technology – When IT managers say that security impedes agility, what they really mean is that security is slowing down the overall IT change process. Security and compliance are integral parts of the processes of developing and deploying new systems that support business agility. For example, it may be necessary to delay the launch of a new application until access controls are defined and enforced. This may take time and involve multiple teams. If the processes are too rigid and the connections between people are too haphazard, the process will bog down.
- Security often involves system/application integration, which can slow down change cycles – Security systems may need to be integrated with applications and other IT assets (e.g., appliances) that change as businesses shift direction. For instance, if you have a privileged account management (PAM) solution that requires a dedicated software agent on each server it protects, then you may have to expend time and effort to update that agent every time you change the server.
- Security can (and mostly should) slow down new, rapid application development processes – Today, we have some awesome new methodologies and architectures for agility. These include continuous integration (CI), microservices, DevOps, containers and so forth. Coupled with compute and storage capacity-on-demand in the cloud, a business can move very quickly with new systems – as long as they are not overly concerned about security. From a security manager’s perspective, some of these methodologies are frightening. With CI, you might put new code into production every four hours. That’s amazing for agility but seriously insane if you’re trying to stay on top of your risk exposure.
- Outsiders are joining your party – We’re in the midst of a revolution in application programming interfaces (APIs) that enable almost any enterprise system to be exposed to an infinite number of standards-based third party applications. That’s great, if you want to be agile with new alliance partners, create mobile apps and digitally transform your operations. However, from a security perspective, unless you are vetting these third parties and being selective about access grants, you could be exposing yourself to massive risk.
Is it fair to make security the bad guy for insisting on some controls over these types of processes? I think not. Still, security has an obligation to figure out ways to help the organization be agile while remaining secure. Otherwise, many organizations run a far worse risk, that of security policy circumvention in the name of agility. In the rush to change, people may overlook or minimize security concerns. Like, if the privileged account manager won’t adapt fast enough, then don’t install it on the new server. You get the new server rolled out faster, but you’re vulnerable to unauthorized access risks.
How can security make itself an ally of agility? There isn’t a simple answer, but focus definitely helps. Emphasizing cyber defense on the most high-impact IT assets may allow less critical systems to change faster, for instance. Outsourcing selected services, such as cloud infrastructure management, can also free internal resources to concentrate on high level security policy issues. The cloud service provider handles the day-to-day. For example, if a new geographic expansion plan raises a concern about secure backups, then a cloud backup provider with multiple data centers might be able to solve the security concern quickly.
Managed security services can also contribute to more agile capabilities. The managed security provider can streamline the security processes that accompany new applications and systemic deployments. By outsourcing and automating many security tasks, a managed security service provider allows the IT team to move faster without being preoccupied by security policies.
It is possible to be agile and secure. Getting there involves taking everyone’s needs seriously. Security counts. Business counts. Everyone needs to be heard and respected. In this mode of working together, you can collectively decide where the priorities need to be. With an understanding of where you will apply the most energy in both agility and security, you can make intelligent decisions about technology and the possible use of outsourced security services.
Want to learn more about how to protect your business from cybersecurity risks? Talk to one of our security experts today.