×

Seemplicity secures a total of $32M to bring the future of work to security teams!

Seemplicity
Read More

CISOs are Now Expected to Become Yogis — Stretching Up, Down and Across

Back in the old days, CISOs played a somewhat secondary role in business growth and strategy. The CISO role was largely technical and reactive, with a focus on technical architecture and response to security threats and data breaches after they happened. At that point, CISOs were considered technical experts for a part of IT that was about security, and not business influencers.

Fast forward to January 2022, those days are long gone. Security as a business function is a business enabler today. CISOs are now taking on a serious strategic role — blending technical expertise with business acumen, plus the ability to communicate complex issues to non-technical board members. Although they are no longer required to possess in-depth expertise in one specific security issue, they are now expected to have a reasonable understanding of all possible security risks, develop strategic security protocols that could enhance the business process.

With that, CISOs have stepped out of the server room and are stepping into the boardroom, the risk steering committee, the security team meeting, the sprint planning meeting, the audit meeting, and the list goes on…

The CISO role has become undoubtedly one of the most multifaceted positions in a company. Just to add some imagery to that, CISOs are now expected to be super flexible yogis — stretching their attention up to the boardroom, down to their security and across to the multiple teams they interact with daily — development, IT, operation, legal HR, and more.

While this has, without a doubt, made the CISO role more central and rewarding, it has also made it much much more challenging. Let’s break down these challenges across the dimensions:

Stretching upwards

In a world where the day’s headlines are increasingly dominated by news of the most recent data breach (ahem Log4j -we had to mention it because what’s a cyber blog today without it?) it’s no surprise and it isn’t new that cybersecurity is front and center for the executive suite as well as the corporate board of directors.

CISOs are expected to keep these key stakeholders informed in a way that is delivered in the language of business and in line with strategic business objectives. The goal is to illuminate risk metrics, risk appetite and security investment ROIs, all without getting too technical, yet with quantifiable evidence.

To do that effectively, CISOs are often faced with the challenge of collecting fragmented pieces of information spread around different tools and spreadsheets and then putting together hand-calculated performance metrics. This means that before every board meeting hours are spent on manually putting together a holistic cybersecurity picture together.

Stretching downwards

Most businesses are currently going through some form of digital transformation, either to improve their offering or streamline their operations. While on one side of the sword this spurs growth and helps maintain a competitive advantage, on the other side of it, it introduces new risks and increases the company’s attack surface.

Security teams are now running multiple programs at once. This includes vulnerability management, misconfiguration fixes, application security, pen-testing, bug bounty, awareness and training, SaaS compliance, API security and the list goes on. With all of this happening across different tools and possibility different teams, it can be a real challenge for CISOs to oversee

With this all happening, CISOs are expected to oversee all the different programs at every point in time and are required to provide advise and insight when necessary. Sounds similar to other managerial roles, doesn’t it? Well unlike other managerial roles, CISOs don’t have their go-to workspace where they can see everything and manage by exception. While sales directors can understand the status of their teams by glimpsing at Salesforce, and R&D leads by glimpsing at JIRA, CISOs have to go from one security scanner to another and have constant status calls to understand how each program is doing.

Doing the splits across

Security holds a unique role in the organization, unlike any other functions. Security itself does not manage a single process or entity, but rather it is an enabler that sits on the critical path of many business processes and projects. The more obvious processes that security enables are those technological ones with the development, IT, operation and DevOps teams. But there are also those less obvious ones with HR, legal and even marketing.

This means that many of the people, procedures, and technical infrastructure required for security’s success is actually out of security’s direct control. As such, CISOs need to enable their security team to collaborate with other teams across the organization in a manner that does not disrupt or make security feel like a damper on operations or creativity.

To genuinely make security an integral part of existing processes, CISOs need to empower their teams to provide a self-service approach where the relevant peers can “consume” security in their own way. With security teams already being spread-thin and overworked, this isn’t a simple task as it requires in-depth business context, significant automations and a diverse set of tool integrations.

Time to Rethink Over Prioritization & Under Remediation

Enterprises face new security threats daily. Whilst keeping up with the influx of these threats has become a top priority for security teams, the average organization still finds itself with a backlog of more than 57,000 unfixed security issues within 6 months.

To deal with this huge influx of findings, security teams often heavily rely on prioritization. Sounds logical right? If we compare this to our daily lives, in times when we have an abundance of errands that need to get done, we write a to-do list and prioritize what needs to be done first.

The difference with security findings is that the people who are responsible for writing the to-do list are not the same people who are responsible for executing the errands, and the ratio between the “planners” and “doers” is far from equal. To put this into security context, the security team plans the remediation to-do list and prioritizes the most important items to drive forwards, while the development teams actually remediate the prioritized items. What adds complexity is the fact that the ratio of security personnel to developers is normally 1:100, and development teams are often distributed both geographically and organizationally.

As a result of this entire situation, the biggest irony of it all happens — the security team becomes the bottleneck to driving remediation forwards. The scope of remediation can only be as wide as the security team’s ability to prioritize findings, while development teams are only aware of items that have been filtered from the to-do list. Even if development teams have the capacity to fix more than has been allocated to them by the security team, they have no visibility into the entire “to-do” list. To sum a long story short, the over reliance on prioritization essentially results in under-remediation.

But it doesn’t have to be that way. What if each development team was given the entire to-do-list that’s relevant to them, without security acting as the middleman?

You are probably saying to yourself, well without any filtering by the security team, a lot of junk would end up being passed on. You are right, but prioritization doesn’t solve that either. What’s needed is for the data to be “cleaned up” and then to be properly distributed to the right team at the right time.

With a self-service approach, the scope of remediation can be as wide as the development teams’ ability to handle fixes and security teams no longer have to act as project managers. Prioritization then becomes the exception, only in cases where a single development team has more fixes than it can handle. With prioritization as an exception rather than the rule, security teams can be left to focus on real strategic security rather than on project managing tasks.

With a self-service approach the security to-do list is no longer solely owned by the security team, but the ownership is now shared across security and development teams. To put it into “mathematical” terms….

With a prioritization approach:

Time-to-remediation = Time taken to process by the security team + Time taken to remediate by the development team

With a self-service approach:

Time-to-remediation = Time taken to remediate by the development team

To learn more about a self-service approach to remediation, drop us an email at info@seemplicity.io

Do too Many Cooks Spoil the Broth? The Cybersecurity Recipe

Let’s start by putting a fact on the table. The cybersecurity software industry is a crowded space.

If you’ve ever walked the exhibition floor of a conference like RSA or if you’ve witnessed the almost-daily announcements of new cyber startups on LinkedIn you probably know what we’re talking about. Estimates vary, but it’s safe to assume that there’s over 5,000 vendors in the security marketplace today.

While for an outsider (cyber outsider) it may seem like an overkill, there is a good reason. With no silver bullet to guarantee effective security posture against the increasingly dynamic and complex threat landscape, security teams have a lot of ground to cover. The landscape includes cloud-native environments, Infrastructure-as-Code (IaC), containers, secrets management, remote work —  and that’s just to name a few. See the CyberScape map below:

A survey of 400 global security leaders carried out by Check Point at the end of 2019 found that:

  • 49% of all organizations use between 6 and 40 point security products
  • 27% of larger organization use between 11 and 40 different vendors’ products
  • 98% of organizations manage their security products with multiple consoles, creating visibility silos.
  • Small organizations are using on average between 15 and 20 security tools, mid-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average.

The More you See, The Less you Do?

The problem is that as organizations race to adopt more security tools, they don’t necessarily benefit from an improved security posture. In fact, the opposite is true. Research by IBM has shown that the amount of security tools that an organization was using had a negative impact across multiple categories of the threat lifecycle amongst those surveyed.

Organizations using 50+ security tools are 8% lower in their ability to detect threats compared to those using fewer toolsets.

There’s no single thing to blame for this reality. One issue is the enormous overload of alerts produced by such tools, all in different formats, received through multiple channels and dashboards, with duplications and no clear action. Weeding through these alerts takes significant time, as security teams switch between different technology consoles trying to put the pieces together. Spending so much time on data gathering, enrichment and prioritization take time away from the actual remediation. In fact, it’s reported that

44% of all alerts don’t get investigated at all and 49% of legitimate alerts go unremedied. 

Another factor is the well known cyber security talent shortfall. Organizations simply don’t have the number of qualified and competent cybersecurity professionals necessary to operate the manual overhead of each tool.

Finally there is also the issue that these security tools can’t keep up with the agility of development teams. Given that development teams are often the ones who actually remediate those weaknesses identified by the security tools, it’s crucial that security findings can be ingested by them in a way that works for them.

What can be done?

Given all of the above, the question pops. Should organizations cut down on their security tooling? The short answer is  —  Absolutely not. Well, if there are tools that produce exact duplications then yes (and that itself requires time to understand). But otherwise, organizations require multiple security tools to cover that increasing attack surface.

The key to successful gain value from security tools is to focus on the interaction between security tools, people and processes. This can be achieved via consolidation, process automation and orchestration

  • Consolidation: A truly consolidated solution leverages a single–pass architecture, in which, security engines process traffic in parallel with a unified single context. This facilitates one fully informed decision instead of a series of half-blind ones, and greatly enhances security coverage. Consolidation doesn’t necessarily mean the end of best-of-breed solutions. Consolidation can come in the form of a “management layer” above the siloed solutions beneath. One which empowers the current shortage of skilled information security professionals and the much-needed focus on retention, to simplify, centralize, and ease the burden on security teams.
  • Process Automation: While automation usually makes the completion of individual tasks easier and faster, process automation often removes bottlenecks, making the operational steps needed to complete a project more accurate and efficient. Process automation deals with formulating multi‑step processes that occur between any combination of people and systems, streamlining interactions and handovers. Process automation isn’t just keeping track of the business, it helps you run the business, day to day. When it comes to reducing cybersecurity risk, process automation can help optimize and scale these lifecycle processes that often involve continuous back-and-forth interactions between security, development, IT and DevOps teams. This not only saves security teams a whole lot of manual effort, but it also eliminates the friction between security and their counterpart and accelerates time-to-remediation.
  • Orchestration: While process automation will handle automation of individual business critical tasks, process orchestration is what glues these individual parts together into a cohesive workflow from beginning to end. Process orchestration will manage the automation lifecycle end to end, across various teams and systems, unifying multiple individual tasks into one smart unit. Security teams that effectively leverage security orchestration and automation are able to spend less time on manually connecting the dots between fragmented security findings, siloed teams and distributed tracking systems and can focus on the tough problems that really need the human touch for investigation, mitigation, and remediation.

What’s Next?

The ever-evolving cyber-threat landscape is creating a continuous need to adopt new security solutions in order to keep our networks and IT assets protected. Each organization has a tipping point at which the number of products they bring on board becomes too complex to handle and begins to hinder their security posture. As a growing number of IT leaders come to realize this, the demand for simple, coherent, orchestration solutions will continue to grow and become their de-facto go-to security strategy. No longer are security and consolidation on opposite sides of the trade-off scales. They are, in fact, growing increasingly synonymous.

3 Things to Consider When Choosing a Workflow Platform for Your Security Team

Whether streamlining sales processes or developing applications at a faster pace, digitized workflows benefit modern enterprises across many important business domains. However, cybersecurity is an exception that still depends on manually coordinating between data, people and tools and strenuously pushing forwards risk-reduction actions across the organization.

Modern security teams spend much of their time manually operating risk reduction workflows. This operation involves coordinating a growing list of disparate security tools to work together harmoniously and pushing remediation tasks across the organization. Setting rules and even coding scripts to integrate everything and connect the dots between disparate tools and teams takes a lot of effort and time. Compounding the problem is the friction that results from scattered workflows across different security initiatives, programs, and teams. The lack of cohesion and orchestration in the risk reduction workflow landscape within an organization makes it difficult for security professionals to get things done. Adding value to your company’s security posture becomes more difficult when friction dominates over cohesive, integrated workflows. Whether it’s securing the cloud, sanitizing data, remediating vulnerabilities, or managing digital certificate lifecycles, tracking all these security workflows with sufficient transparency is impractical in the current landscape. For your security team to excel, there’s a pressing need for smarter workflows with more automation, better integration, and clearer KPIs.  

Here are three things you should consider when looking for a workflow platform for your security team:

1. It’s Time for No-Code Automation

Automation without code provides a powerful way to digitize cybersecurity workflows. You need your security experts to spend their time strengthening and defending your security posture in real-time instead of handling time-intensive workflow management tasks. This can only happen when those tasks are handled automatically. Codeless automation uses out-the-box workflows for common risk reduction use cases. The plug and play nature of it facilitate seamless integration between different tools, teams and workflows. All of this should be accessible from a central user interface with the ability to granularly track KPIs for different workflows from one place. The codeless aspect is critical because if teams still need extensive coding to maintain or update workflows, they’re still going to end up bogged down by manual tasks. You don’t want a situation where switching to a different CSPM solution necessitates manually updating all your security workflows. Your teams need seamless functionality that gets security operation workflows running coherently with the same speed and efficiency as other departments. Security professionals should spend the bulk of their time on strategic planning and conducting deeper investigations for genuine threats. 

2. Generic Workflows won’t suffice 

Security expertise is critical for an automated security workflow tool to add value. Generic workflow tools won’t suffice because they aren’t built on a solid foundation with security knowledge at the core. In order to gain value for your risk reduction efforts from an automated workflow platform, the following capabilities are required:

  • Normalization of findings —A generic workflow with no security expertise would at most be able to ingest findings from different tools within their original format. This doesn’t help move efforts forwards. In order to be able to efficiently drive risk down, security teams must be able to look at one normalized coherent list of security findings – with standardized severity scores and in a single format. 
  • Organizational knowledge —Confusion over who needs to take ownership of a remediation task and what assets are impacted is a significant barrier to the swift remediation of security findings. Organizational knowledge built into workflows enables your business to easily and dynamically map tasks to owners and assets in an automated way for optimized decision-making.  
  • Actionable remediation items— With a deep understanding of security findings, multiple weaknesses can be turned into precise remediation actions. Through deduplication and grouping of multiple findings with the same action and/or the same owner the huge influx of findings can be reduced into actionable items. This level of know-how digits findings into bite-sized actions, increasing efficiency significantly. 

3. The Value of Customization

Every business has different needs, priorities, and idiosyncrasies that pre-built workflows can’t fully capture. A cornerstone element of digitizing cybersecurity workflows is customization. Fully customizable workflow profiles can make room for different rules depending on the user, process, or data source. Your security teams can use customization to focus on what matters most in securing infrastructure and information. 

It’s time to rethink your security workflows

An automated workflow solution modernizes security and brings it up to the standards of efficiency and agility expected by businesses. Customization provides the flexibility to build workflows in line with your unique security posture. Now is the time to digitize your security workflows.

Handling the Cybersecurity Skills Shortage

Industry reports and surveys continue to show that the cybersecurity skills shortage shows no sign of slowing down. In light of this skills shortage, every business needs to understand how to get the most from all current cybersecurity personnel . This article provides actionable insight about handling the cybersecurity skills shortage through automation.

Overstretched Security Teams

It’s worth taking a look at some statistics to reinforce just how wide the cybersecurity skills gap is:

Most organizations have some level of access to cybersecurity expertise, but the problem is that this expertise isn’t effectively used. Overstretched security teams spend far too much time on manual, time-intensive tasks. These tasks include but are not limited to:

  • Centralizing security findings from disparate systems and tools in order to group different threat signals
  • Comparing security findings to ensure consistency and deduplicating data to remove redundancies
  • Mapping security findings and remediation actions onto the relevant owners and assets
  • Creating and assigning security tickets to the right people at the right time
  • Tracking information across a diverse range of security tools and systems

The common thread running through this picture of how security teams work is an overreliance on manual tasks. In a workplace lacking cohesive and integrated workflows, security teams aren’t able to measure KPIs, such as the average time to remediation. Businesses need to ease the burden on security personnel if they want to keep their information, systems, and applications secure.

How Automation Can Help

The answer to handling the cybersecurity skills shortage is greater automation. You need to make it easier for security teams to do their jobs and protect your business in the current threat landscape. Automation reduces workload burdens and improves efficiency, both of which are vital for improving morale and strengthening your information security posture. A critical way automation can add value is through automated security workflows. While automated workflows aren’t new and have benefited many business processes, the security domain has yet to adopt them. Why? Because security workflows require serious security knowledge at the core of it.

Generic workflow tools won’t suffice. A risk-based approach is required, contextualization is essential and the expertise of turning findings to actions is critical. These workflows should also of course be codeless to facilitate agility and efficiency. An automation tool that uses code requires too much manual setup and maintenance time. Seamlessly creating security workflows can dramatically reduce the manual burden placed on modern security teams. With automated security workflows you can:

  • Standardize and speed up pre-attack workflows to better combat cybersecurity threats
  • Seamlessly turn security findings into actions for better transparency and reduced friction
  • Get a holistic, organized, and integrated view of risk reduction tasks and processes
  • Track progress by measuring important security metrics and KPIs
  • Easily integrate actions in workflows with third-party tools using plugins

A win-win situation

Once you have a set of actionable workflows in place, the landscape in which security teams operate changes for the better. Resource optimization reduces time spent on manual, repetitive work. Security teams increase the scope of things they can fix because they no longer spend time triaging alerts and prioritizing what to fix. Ultimately, automated security workflows create a positive cycle that benefits all parties: our business gets more value from your skilled security personnel by enabling them to best apply their expertise and focus on the tasks that really protect your valuable information assets. Security teams feel happier, more valued, and less stressed in their roles. They see an investment in codeless automation tools as a sign that your business recognizes and wants to do something about the strain put on them in a labor market that falls short on security skills.