The risk of cyber security going off the rails

It’s fair to say that most industries contend with risk. How well risks are understood is critical to containing and managing them effectively, within defined appetites and thresholds.

In Australia, financial services firms, for example, face financial, regulatory and consumer trust consequences if risks are underestimated or go unchecked. The resources and industrial sector must similarly monitor a range of supply chain and worker safety risks.

Security is a similarly risky sector, but there are signs that not all is well when it comes to keeping these risks under management.

Security teams are used to facing risks posed by users and attackers, but also increasingly by cloud- and web-based operations. Our research shows that operating securely in a web- or cloud-based environment means living with elevated risk tolerances and discomfort for security teams. Not every team has the security risks of web app proliferation under control.

There are other signs that security teams may be dealing with uncomfortable risk levels. Research by Gartner, for example, finds 65 per cent of teams are wanting to consolidate their security partners “to reduce complexity and improve risk posture”.

So, why is the issue of risk in security now coming to a head?

For the simple reason that resourcing continues to be squeezed. Everything has a breaking point. For security teams, if some looming risk-based challenges aren’t addressed, its breaking point may soon arrive.

VIEW ALL

The pressure points for security are — and continue to be — budgets and team sizes. A lot of companies expect budget increases over coming years, which suggests budgets either aren’t where they need to be today or are but require increases for sustainment alone. Additionally, skilled people are hard to come by and expensive to retain. There is only so much a security team can do.

Neither problem is going away any time soon.

All of which speaks to the broader challenge facing security: in a sector that constantly talks about risk, it is still immature in some aspects of its approach to handling and managing risk.

Lingering resource pressures require security leaders and teams to improve their risk-based decisioning skills, ensuring ongoing prioritisation of investments and time so that protection is provided where it is needed most.

Smarter decisions

In a sign of growing maturity of the security profession, we’re now starting to see an increasing number of security teams employing risk-based decision making.

As security leaders and teams, we regularly need to justify budget and why certain controls are required. This has led us to double down on the risk-based approach for security.

A risk-based approach helps solve two challenges security teams face: prioritisation and explanation. When looking through a risk-based lens, priorities quickly shake out and teams can decide what the most important work is.

Teams also need to be able to explain to our peer teams why a particular approach creates an increased probability of something bad happening.

Using risk for prioritisation has become crucial to being efficient and successful. When teams have 30-plus different security issues to solve, risk helps prioritise and understand which issue to solve first.

This is true for not only security teams, but also for the various other teams that we work with, such as engineering. We all need and can leverage security risk for justification for what needs to be worked on.

Better use of available resources

In order to support the velocity of work and maintain a decent risk profile, security teams’ bandwidth must scale appropriately.

Teams made up of subject matter experts are needed to maintain velocity but staffing up simply to turn the crank of manual toil will lead to an unsustainable team structure.

One scalability trick is to focus on developing repeatable guidance that other teams are able to easily follow. With guidance in hand, other teams in the organisation can build securely from the beginning, allowing them to maintain velocity while reducing the likelihood of security issues or breaches. Empowering teams this way allows them to maintain team velocity, while companies maintain their security posture and the velocity of the company accelerates.

We’ve discussed what attaining general scalability looks like when looking outward at the company, but how does it look when you look inward? This brings us to focus on looking at ourselves and figuring out how we make our security teams the most productive. It is possible for teams to move both faster and safer by understanding the interactions of velocity and risk.

Using our own organisation as an example, we empower our company and all of its internal functions by aiming for high velocity and low risk. With this goal, we enable teams by providing clear guardrails to work within, as well as with reusable concepts to make things easier, and make sure that teams understand their responsibilities of risk ownership.

Teams that evolve with a risk-based security approach and general scalability will be the leaders and face of security in 2023 and beyond. Paired with the existing solutions today, security teams will be armed with everything they need to provide safety and prevent attacks.

Guy Brown is the senior security strategist – ANZ at Fastly.