Security Remediation Game of Tag: You Are It!Read Now
Security is the cornerstone of the modern business landscape. Today, businesses are more conscious than ever of how their security strategy can impact their success. However, while security teams are gaining greater clout in organizations, the implementation and integration of strategic security processes within organizations have yet to keep pace with the growing importance of security. Consequently, though security teams have invested significantly in identifying risks, these risks are not necessarily mitigated in a timely way by the teams tasked with remediation.
This discrepancy often leads to tension between security teams and remediation teams – AppDev, CloudOps, ITOps, OTOps and lines of business. In this blog post, we explore these tensions and propose effective strategies to alleviate them.
The Root Causes of Tension Between Security and Remediation Teams
Just a few years ago, collaboration between security and engineering teams was fairly limited. Security teams would review the developed systems for vulnerabilities and suggest security improvements just a few times a year, when new product versions were introduced. This waterfall approach was fit for that era – when customers were expecting few, albeit feature-heavy, releases; security teams were primarily tasked with protecting the perimeter; and cyber security attacks were not such a common occurrence.
Digital Transformation Reshapes Roles and Relationships
Today, however, circumstances have changed, reshaping the roles and responsibilities of these departments. Digital transformation has driven software engineering teams towards faster release cycles. Microservices architectures and agile application development methodologies have resulted in faster time-to-market of leaner releases. As a result, application teams are now busier supporting the development and release of as many features as they can.
Along with those business benefits, the cloud has introduced new security challenges. Complex cloud environments and interconnected IT have made it harder for organizations to gain visibility into their entire IT ecosystem. This makes security teams more dependent on multiple, disparate engineering and operations teams than before to remediate risks. In addition, the decentralized nature of cloud-based IT also makes it harder to know about, manage and secure assets and data, making the role of security teams yet more difficult.
A Growing Number of Cyber Attacks
In parallel with the advancement of IT infrastructure, cyberattackers are also going through their own transformation, but this time organizations are receiving the short end of the stick. The threat landscape has evolved rapidly, with cybercriminals becoming more organized, sophisticated, and resourceful. They employ advanced techniques, such as ransomware, social engineering, zero-day exploits and supply chain attacks – to compromise systems, steal sensitive data, disrupt operations, or extort money. For example, according to the Verizon DBIR report 2023, Ransomware rates grew in the past six years, while constituting 24% of all breaches in the past two.
The increased availability of hacking tools, exploit kits, and malware-as-a-service has contributed to this increase, by lowering the barrier to entry for cybercriminals, enabling even less technically skilled individuals to carry out attacks. ChatGPT, for example, helps attackers find vulnerabilities and sharpen their attack techniques, and can even generate exploit code.
In addition, organizations now store and manage vast amounts of valuable data, including customer information, intellectual property, financial records, and trade secrets. Cybercriminals aim to steal or exploit this data for financial gain, corporate espionage, or to disrupt business operations. The potential financial and reputational damage resulting from data breaches or unauthorized access to sensitive information is immense, leading to significant financial losses, legal liabilities, regulatory fines, and damage to brand reputation.
This means that while security teams are attempting to find new ways to secure complex digital environments, they are also dealing with the growing volume, sophistication and potential of cyber attacks. From the development and operation teams’ point of view, they are suddenly required to write and deploy code that is more secure than before, since the chances of it being exploited are higher.
Accountability vs. Authorization
As we’ve seen, technology is advancing rapidly. However, the structure and operations of remediation is still lagging behind. Organizations still operate in siloed organizational structures, where security and remediation functions operate independently and separately.
Security teams are responsible for identifying risks, conducting vulnerability assessments, and implementing security controls. Their KPIs are reducing the size of the backlog, mean-time-to-remediate risks and, ultimately, the security of the organization. On the other hand, remediation teams, such as AppDev, CloudOps, ITOps, OTOps, and lines of business, are responsible for developing, deploying, and maintaining applications, infrastructure, and ensuring ongoing operations. Their KPIs are fast releases, developing new features for customers and uptime. At the same time, they are also the ones who are required to remediate vulnerabilities.
The result is an “accountability-authorization” gap. Security teams are held accountable for organizational security, but they are not authorized to fix those vulnerabilities. Engineering teams aim to deliver high-quality and secure code, however they are not completely held accountable for organizational security. On the other hand, they are held accountable for ensuring code is released quickly. Similarly, operations teams are held accountable for the ongoing availability of systems and services, but may not necessarily have to meet equivalent security service levels.
Security and Remediation Tension in the Day-to-Day
As a result of these transformative changes, security, development, and operations teams must now work more closely together than before. And while everyone has the same goal – delivering quality and secure apps, data, services, and systems – relationships are often strained. This manifests itself in the day-to-day as:
Miscommunication and Misalignment
Miscommunication between security and remediation teams is a common challenge in organizations. At the most basic level, there are differences in professional lingo and technical terminology. For example, security professionals may use technical terms and acronyms that remediation teams are unfamiliar with, and vice versa.
Security and remediation teams also follow different workflows and methods. Development teams work in sprints, which are often two weeks long. Their tasks are clearly determined and prioritized for the sprint, and they are measured on their ability to meet them. Security teams, on the other hand, operate similar to other business employees, in weeks, months and quarters. This means that when security teams communicate requirements, their timing isn’t always aligned with remediation teams’ schedules. This could create confusion, frustration and even anger at security teams for derailing the sprint’s focus.
Finally, security and remediation teams follow different mindsets. While security teams focus on vulnerabilities and gaps, remediation teams are focused on their primary objectives of building, releasing and moving on to the next task. Security teams may feel that remediation teams are not taking concerns seriously and remediation teams may feel that security teams are not being realistic about the time and resources required to implement their recommendations.
These misalignments can hinder effective collaboration and understanding, leading to frustration and delays in addressing security issues.
Frustration and Tension Due to Lack of Resources
Remediation teams are tasked with delivering new features, maintaining existing systems, and supporting operational activities, typically with constraints in terms of time, budget, and staffing. Closing security gaps is part of a very long list of tasks engineers have to get done, yesterday, with one hand tied behind their back.
A Battle Over Competing Priorities
Security and remediation teams operate in a structure that is – unintentionally – designed to create conflict between them. This conflict, along with lack of clear, effective and streamlined processes for ensuring secure code and operations, create a reality in which builders and operators are forced to find their own balance between quick and efficient delivery and the security teams’ demands for risk mitigation. In other words, builders and operators may be the ones to choose which security tasks to get done. And if they lack clear direction from security teams, they might be spending time and resources addressing low-priority issues, while critical vulnerabilities remain unaddressed. Or they might abandon fixing security issues altogether.
How to Fix the Security-Remediation Gap
Since the tension between these teams is the result of circumstances that are within the control of organizations, organizations also have the power to untangle the security-remediation knot. Here are a few methods they can apply.
Shifting Left Security
“Shift left security” is an approach that advocates integrating security practices and considerations earlier in the software development or operational lifecycle. As mentioned earlier in this post, traditionally, security has been viewed as a separate phase that occurs towards the end of the development or deployment process. However, with the shift left security approach, security is moved earlier in the timeline. This includes incorporating security requirements, conducting threat modeling, performing secure code reviews, and implementing security testing and analysis tools as early as the development and design phases.
Shifting left security helps address security considerations from the outset. This enables organizations to proactively identify and mitigate potential vulnerabilities before they become more complex and costly to address, and before they create friction between security and remediation teams.
Shift left security also promotes collaboration and communication between security and remediation teams. By integrating security in the development phase, everyone has a better understanding of security requirements and challenges, leading to more effective security measures and reduced friction between teams.
Aligning Processes and Workflows
Aligning processes and workflows is crucial for organizations to improve collaboration, efficiency, and overall effectiveness in addressing security issues. These processes and workflows provide a structured framework for teams to follow, ensuring that security considerations are integrated seamlessly into development and operational activities.
This involves defining clear roles, responsibilities, and handoffs between teams involved in security and remediation efforts. For example, by implementing regular meetings, cross-team workshops, and shared collaboration platforms. This standardization will help ensure that everyone understands their tasks, the expected outcomes, and the sequence of activities to be followed.
In addition, such processes will foster open communication, enable knowledge sharing and strengthen the relationship between teams, to ensure that security issues are promptly addressed and that all stakeholders are kept informed.
Consider Tools that Support these Processes and Workflows
Leveraging automation and security tooling can significantly improve the ability to communicate, prioritize and mitigate security issues. Platforms that automate and orchestrate security and remediation workflows can cultivate a streamlined and collaborative effort. For example, a platform that incorporates vulnerability and risk mitigation workflows could benefit everyone by clearly pinpointing the issue, identifying the owners and tracking remediation progress. This increases productivity, reduces the workload for teams and enables scaling the remediation process. As a result, it also alleviates the tension and improves collaboration.
Next Steps for Your Organizations
The tension between security and remediation teams is a common issue that many organizations face. However, despite the different approaches each team has, it’s important to remember we all share the same overarching goal: protecting the organization from security threats and minimizing the impact of vulnerabilities.
Addressing this tension requires a change that involves people, processes, and technologies. This starts with building relationships and defining clear processes and workflows. Automated platforms can also help, since they lighten the overhead the teams have and help remove friction, which makes it easier for both teams to find ways to protect the organization.
To learn more about how Seemplicity can help automate risk and vulnerability operations across your organization, click here.