LAS VEGAS -- There is a cultural change in the air that requires IT security professionals to embrace the will to collaborate and the desire for accountability in security. This change will transform the profession – and security’s position and profile in business organizations of all kinds. Practitioners today either need to embrace the change or watch their careers disappear.
That was the message coming out of Black Hat 2019 in Las Vegas as security professionals convened for a multi-day event with sessions on fresh research and insights for the community. Organizers predicted the event, in its 23rd year, would exceed 19,000 attendees from around the world this year.
Keynote speaker Dino Dai Zovi, mobile security lead at Square, kicked off the first day of briefings and keynotes by reviewing his 20 years of attending Black Hat. In his talk, titled "Every Security Team is a Software Team Now," he noted how security has changed over that time. He moved through a review of different hairstyles, jobs he’s held and security trends over time until stopping at his most recent employment experience at Square, where he noticed the culture was markedly different than in other places he had worked previously. It was strange at the time, in 2016, for other divisions to even attempt to interact with security, he said. Other things he noted struck him as different, too.
“Security engineers had to write code like anyone else,” he said. “There was a lot more collaboration and empathy for how people are operating.”
Now, Dai Zovi argues that in an environment where software and cloud services are at the core of much of what IT accomplishes in business, security has a new and critical opportunity to work with others and to make an impact throughout every organization. He offered three principles for directing those efforts. They are:
- Work backward from the job to be done;
- Seek and apply leverage, develop feedback loops and scale with software automation;
- Understand that culture trumps strategy, and strategy is still more important than tactics.
In explaining these three philosophies, Dai Zovi made the case for automation as the way forward for security teams seeking to accomplish more with limited resources.
“We must work smarter, not just harder, through better software and better automation,” he said, noting that automated feedback loops are crucial for security to understand what is effective.
“The tighter feedback loop wins,” he said.
But a culture shift is the top priority for security, said Dai Zovi. Security teams need to collaborate with other divisions and work to be a team that all parts of the organization see as an integral business driver. This means offering solutions to enable mission-critical business goals.
“Instead of saying no, start with yes and here’s how we can help,” he said. “It’s all about cultivating empathy. It’s something you practice and grow. This is the way we meet the challenge of leveling up on security.”
The message of the keynote was largely enforced in a later session during the day titled "Controlled Chaos: The Inevitable Marriage of DevOps & Security." Kelly Shortridge, vice president of product strategy at Capsule8, and Nicole Forsgren, research & strategy with Google Cloud, laid out the case for why most organizations are becoming software organizations in some form.
Among the presenters’ points: that DevOps and agile are not the same thing, despite what many have heard.
DevOps, Forsgren argued, is about changing cultural mindset, and delivering good outcomes. It is a mindset that unifies responsibility and accountability.
In terms of adoption of DevOps, Forsgren said there is little doubt why it is at the heart of what elite IT teams are doing now, and it is the future for others.
“There is no turning this ship around,” she said. “Too many people are seeing huge benefits from this. Infosec can join DevOps, or watch as DevOps carves its own secure path.”
Forsgren then went on to explain why chaos engineering, an approach to software development that espouses experimenting in production to find vulnerabilities so the system can weather unexpected failures later, and resilience, are what she sees for infosec’s future. She stressed that embracing these approaches will require a shift in mindset for many security professionals, but was unapologetic about the need for them to get on board. She was critical of what she called a common refrain among security professionals.
“’DevOps doesn’t care about security’” is a lazy strawman,” she said. “Stop it.”
For her part of the presentation, like Dai Zovi, Shortridge stressed that security’s goal should be to support innovation in the face of change – not to create friction. She noted there can be no excuses going forward for a change in attitude among security professionals.
“Infosec has arguably failed,” she said. “So ‘this is how we’ve always done it’ is invalid.”