Security shows how innovative you are

Recently, a study conducted by Vanson Bourne, commissioned by Bromium Research, of 500 CISOs came out that had some sobering statistics. In this study, 81 percent of them said that their users see security as a hurdle to innovation. 

This is something that I disagree with, and sends the wrong message about security.  If we continue to have messages like this communicated, we will continue to be fighting battles we don’t need to improve our organizations. We need to take a different approach to show that security can be innovative and can be used as an indicator of such.

As part of my job, I often interview startup and early-stage companies as part of the intake process at my employer, Indiana University Health.  Academic medical centers such as ours are well-known for providing innovative treatments for a number of issues. The medical leadership of these organizations are focused on researching and acquiring the latest technologies to support these. Our job is to make sure that these new technologies do not present additional risks to the patient or organization.

Instead of taking a heavy-handed approach, we work with these companies to help them understand how to integrate security into their processes. We set expectations early on, and we will collaborate with our other internal stakeholders to put these companies on a path to improvement. It doesn’t help our patients or care providers if we are heavy-handed, as we could be denying them the opportunity for a better quality of life.  We want our vendors to be cognizant of requirements, but at the same time, we expect innovation as part of our mission.

Coming back to our original statement of security hindering innovation, there are three ways to think of how we got there. The first way, which has been the standard mentality over the past few decades in IT, is that if it isn’t broke, don’t fix it. The second is to look at this through how IT has transformed over the past decade through the implementation of agile, devops, cloud computing, and continual integration and automation. The third has been through the alarming amount of data breaches and computer-based attacks that have increased in frequency every year, and have only gotten worse.

What I believe has happened over the past few years is that we’ve focused our attention on attempting to stop the data breaches at any cost, and have not devoted as many resources to engineering long-term solutions to resolving these issues. IT has adopted a “fire drill” mentality for dealing with security issues, where important projects and initiatives get put to the side to deal with the latest vulnerability or large data breach.

We can do better if we work together and innovate to develop solutions to integrate security into the business. 

The first step is to realize that computer systems, whether or not you own them or utilize them as a service, need to be continually maintained and updated. We need to make sure that our customers understand that even though a system may be located on Amazon Web Services that does not mean that they do all the work. It still needs continual care and maintenance like a car, refrigerator, or air conditioner. You need to replace the air filter or oil on a car every X thousands of miles. Updating a system with security patches is no different.  We need to do a better job of communicating that to our users. The startups we work with do understand this, and more often than not, have been very responsive.

Sizing up, or assessing security risk, is the next step. This has been a task that has been mainly outsourced to the Big 4 or specialist shops, and presented to leadership as a PowerPoint deck. While they do a good job, the users only see the end product.  It’s up to us to include them in the process and have this done internally so that we can better show what goes into a risk assessment and why. If we involve people in the process, and have them be active participants in seeing how we quantify risk and why, we can provide them a better understanding of the decision process. 

Many of the data breaches that have affected millions of people were because of legacy or unmaintained systems. They were not because of zero-day attacks.  WannaCry, Petya, and NotPetya spread because of unpatched systems. We need to address this as part of the next step, addressing risk.

What we need are vendors and innovators who see this new environment as a challenge, and who embrace building security into products as a logical next step.  devops, cloud, and agile bring automation and the ability to detect and resolve issues quickly into the picture. When we explain that this can get them to a point where this makes the dreaded risk assessment much easier and allows them to still innovate, this approach gets embraced. 

We want companies to deliver new and innovative products, and we want them to constantly improve them. As part of that, we want them to assess and address issues quickly. We are no longer in a spot where we can install a system and run it until it utterly fails. Security is something that we can no longer bolt on to a product or do at the end to make it successful. Security takes hard work and innovative thinking to continually address.

We want our vendors to continually address concerns, and build long-term partnerships and relationships on customer service, good change management, and meeting requirements on a continual basis. We understand how critical software is to our business, and want partners who can innovate and integrate at our speed.

Security is oftentimes the canary in the coal mine used to detect other issues, such as errant change or build management processes, testing failures, quality assurance, or customer service response, such as in the case of vulnerability management. 

We should be using security as a barometer to indicate how well a company innovates, responds to customer issues, and can meet our needs. A company that has accepted security as part of the development process often already has developed very mature processes for the above issues. 

Security doesn’t hinder innovation. How a company handles building security into its products is the best indicator of how well they can innovate. We need to be focusing on how our vendors develop the products we use, and partner with them to help each other out. What we can do in information security is make sure that we communicate that willingness across our communities, and act accordingly.