Is Security emptying your pockets?

4 min read

The word ‘Security’ has magical qualities when included in an IT-related proposition or as part of a business requirement. So much so, security has its own budget, something that reliability and performance experts can only dream of. Yes, of course, the increase in the threat landscape and associated risks are great yet the jeopardy is only heightened by the use of fear as a marketing tactic in the marketplace.

This fear-based approach isn’t limited to the world of technology, it has been widely adopted globally by many industries. I even see it in the sale of newborn baby products within my circle of friends and family, where there is a wave of mini me’s. Security here translates to safety; nobody skimps on safety when it comes to their children. The psychological extortion is clearly noticeable in the advertising and sales methods employed by the shop assistants.

When it comes to cyber security and software security, I, too, find myself thinking about all the things that could go wrong.

But don’t let fear, uncertainty, and doubt rule you. If you understand it, you can deal with it.

Don’t get me wrong; in this complex and interconnected world, security is important. But, I am sorry to say for all our security colleagues out there, it is not the only thing that moves the world. Security is one characteristic of your software that you need to account for. Companies should balance their expenditures and not empty their pockets on security. And nor do they need to. You do, however, need to be smart about it.

I do admit. That this is easier said than done.

Let go of your fear and focus on what you can do. Security to some degree equates to auditing your books; there is always something to be found or improved. As a consultant, let me tell you, when you are asked to look for things, you will always find something. One of the challenges with security is some elements can fall out of your control, and you can’t address them until they pop up. This is when how fast and agile you can deal with them then, is paramount!

As your security approach matures, the more challenging it becomes.

It entails managing your security vulnerabilities structurally and continuously. But this does not mean you need to do everything all the time. From our research, data-backed findings, and our depth of experience, we see that the following pragmatic approach works:

Step 1 – Get to a single pane of glass early > aggregate results from different areas as early as possible and make sure they are classified within one scheme;
Step 2 – Designate an evaluation model > not all findings require the same swiftness and attention. Make this explicit. Base it on severity factors such as CVSS and CWE and specify resolution times that you expect;
Step 3 – Reserve structural time for resolution – You know these issues will come up. Like Log4J. So reserve time in advance instead of having to break into your roadmap;
Step 4 – Arrange a Risk acceptance process – Not everything needs to be fixed. So don’t. Make sure your teams can move between mitigating, accepting, and avoiding vulnerabilities and that an escape from a rigid ‘have to solve’ process is available.

So, looking back at your organization. Do you have these elements in place? Or are you letting fear rule? Is security emptying your pockets at the cost of all the other things you want to do?

My colleagues Haiyun Xu and Thomas Kraus will speak more in depth about this subject at the upcoming DevOps India Summit 2022 on the 26th of August. If the above resonates and you think your team has a way to go on this subject, I highly recommend listening to their words of wisdom!