The Rise of Compliance Engineering
Organizations are grappling with multitudes of apps across teams and entire organizations…the Appocalypse.
This story is part of Security Essentials, the IT Vault’s practical advice for getting the most out of your security team.
The Maturity of Compliance Programs
Security evolves daily. At any given time there are new exploits, advanced vulnerabilities plaguing organizations globally. To combat this, 45% of companies planned to spend more on IT risk management and compliance in 2022 than in 2021. Investments must be made, yes, but that’s not enough in today’s technology landscape. Albert Einstein could not have been more right when he coined the definition of insanity as doing the same thing over and over and expecting different results. To that end, companies must put a stop to the historical thinking that solely leveraging technology solutions will solve their compliance and security issues.
We’ll say it loudly for the people in the back - there is no technology solution that is the golden ticket for security and compliance, rather, the way we approach security must change. The obstacles with security encompass an issue with the approach instead of an issue with finding the right tools. This is indeed an evolution in terms of organizational needs.
Let’s say it together - security is a process, not a feature.
Continuous assessment and continuous refinement in parallel is critical when reviewing any organization’s security posture. Over 70% of organizations have committed to manage their IT risks in a formal, disciplined approach. That’s the good news.
The not-so-good news?
The Appocalypse Effect
This shift has been accelerated with the rise of the cloud. Organizations are grappling with multitudes of apps across teams and entire organizations…the Appocalypse. (Read more about this in our write-up regarding what was behind our latest product launch, “Lumos 2.0 - Revenge of the Appocalypse) As the dependency on SaaS continues, each organization’s environment becomes increasingly unique. Specialized tools and proprietary internal applications abound, muddying the waters even further.
We find ourselves morphing from the idea of compliance to the delivery of defense. With this, compliance has become more rigorous with an increase in compliance certificate requirements. SOX, SOC, HIPPA, GDPR, NIST, FedRAMP, the list is ever-growing and specifications are ever-changing. The move from in-person work to hybrid, on-prem to cloud-based apps, has transformed these dynamics forever.
These one-of-a-kind differences change up both the point of entry and process that hackers use to infiltrate each organization. In addition, this impacts the way those in security would be able to detect malicious behavior in their environment. While security vendors swear up and down that their solution is the umbrella that will cover all vulnerabilities, it’s just not possible. With these unique environments, organizations will need to construct detection logic for each specific environment.
However, creating additional detection points is not the answer.
Adopting an Engineering Approach to Security Operations
Adopting an engineering approach to security operations will fuel organizations to make process changes that will increase productivity (such as automating manual steps of incident response). In parallel, consistently creating scalable options when securing the boundaries of an organization while investing additional time restructuring defenses is key.
While security teams have, and will continue to, operate as independent units within each company, the incessant advent of application-specific vulnerabilities will be managed by software engineers. After all, they have the most knowledge of both the product being built as well as the code-in-context. Security teams? Think of them as something similar to platform engineers - pseudo-consultants to Product.
The Security industry is maturing at such a fast-paced clip that analysts and the like will need to polish their technical chops. In order to understand the factors motivating threat actors as well as the underlying tactics involved in attacks, an engineering mindset and up-skilling is a must. Putting a spotlight on bettering processes and avoiding seeing compliance as boxes to be checked off is at the core essence of approaching security in the vein of an engineering outlook. This approach instills confidence in Security teams to implement scalable technical solutions over increasing headcount, achieving the ever-popular mandate in today’s economy of, ‘do more with less’.
The Rise to a New Challenge: Looking Beyond Technology Until now, technology platforms have been looked upon to almost magically remove the burden of increasing an organization’s security posture. As long as an organization has the ‘right tools’ deployed and a team member or two to monitor, all should be well…or so was the long-standing thought. Combine this faulty mindset with an overworked and stressed out Security team who has zero time to improve Security practices and you’re left with a process with as many holes as Swiss cheese.
Are these technology solutions completely to blame? Nope. Chances are, they’re supplying a strong foundation, but they’re limited and can only do so much.
A deep analysis of both the mindset and structure of Engineering translated to Security Operations has not been widely executed nor accepted. However, we are seeing a growing maturity of Security professionals. We can all agree that IT itself, and the expectations of those within all roles of the team, are becoming increasingly complex. Improving efficiency and simplicity, such as by automating SOC processes is a given. How about requiring SOC analysts to learn how to code? It could be just beyond the horizon for the majority of companies.
We must look beyond vendor tools. Get to the root of the problem by creating clarity around risks and malicious behaviors that are possible in your environment. Pinpoint how to detect them and how to respond. Look to tools as support…not the end solution.
The Only Constant is Change
An organization’s security posture is ever-changing. Monitoring, learning, and iterating must be consistent facets of the routine. Immediately after a new detection is made and a response is deployed, the environment has changed. More than likely, an army of virtual machines have been activated in the cloud with new SaaS apps installed across the endpoints. Security assessment must continue to evolve along with the company. Remember, we’ve established that rather than a feature, security is a process. It must continue to be refined.
Automation. Why continue responding the same way to the same threat, day in and day out? Automated security tests can provide visibility into how your system will perform (but also leverage a QA person to catch edge cases that automation can’t cover). Instead of manually deploying security solutions, machine scale via API-first. Here’s a novel idea - leverage open source…coexisting with commercial tools. Yep, build on top of commercial tools with substance, SOC 2 cert.
Audit-Centric Model to Continuous Assurance Model
In sum, today’s quickly changing technology landscape (hello, Appocalypse) has accelerated the need for a rise in Compliance Engineering. Organizations must have full visibility into their environment and tailor security coverage to the their needs.
• Working transparently, the output of tools should be easily tested and verified.
• Leveraging a combo of commercial and open source solutions that work together helps solve security use cases.
• Security must focus on processes, not products (go beyond the tools).
• Adopt an engineering approach to security operations.
• Automate manual parts of incident response.
• Consistently build scalable ways to secure the org while also proactively building defenses.
We love talking about this stuff - we’re here to help you figure out the best way forward in getting processes set-up and your organization protected. Let’s chat.