Democratize Security

Executive Strategy Meeting

Angela: CEO

Jim: VP Engineering

Tanya: Head of Security

Chidi: Legal

Matt: Application Security Lead

Jim: We are two weeks away from our next product. We have kept it quiet for competitive reasons, but this is our next billion-dollar bet. It is a social media app with geolocation capabilities and is open to all ages. Market research has been highly favorable, especially in teens. We are excited.

Angela: Great Jim, I know you and your team have done a lot of work on this project. Tanya, has your team completed the review? I am concerned about user privacy and Security.

Tanya: I was not aware of this project. Let me check with Matt.

Chidi: Angela, your concerns are valid. The project has not gone through any privacy impact assessment, to my knowledge.

Tanya: Matt has just updated me that he met the Architect on the project six months ago. The conversation was brief and mostly around that the design was not final. They agreed that they should reconnect again when they have finalized the design. We need to do both a Security Impact Assessment and Privacy Impact Assessment.

Jim: OK. Angela! We have a hard launch date here; as discussed in our 1:1, we have been working with marketing to get things aligned. We have to launch it just before the schools open. But we will work with Tanya’s team to get them whatever resources they need to get this done.

This conversation in some form happens in all organizations. The organizational, functional, and technology silos create partitions with unequal access to data, conversations, strategy, and team priorities. Creating what some refer to as “Chaos” — Not chaos, just business running at the speed of business. Teams often play catch-up with each other. There is an abundance of meetings to get everyone on the “same page.” Folks are often leveraging personal connections across the organization to stay informed. Not uncommon to be put in a difficult situation to meet unrealistic timelines requiring heroic efforts — we all have a proverbial “Brent” from the Phoenix Project in every organization. Over-reliance on human expertise and human connection and frequently failing to match the speed of business.

The workforce is experiencing identity confusion in their roles, especially in cloud-first organizations. Engineers act as DevOps and Security, DevOps; Security, Engineering and Security, DevOps, Engineering, etc. Engineering, DevOps, Security each role is expected to have the knowledge and skills to solve the challenges in other technology areas. Entry-level positions are mostly disappearing, and the barrier to entry is even higher. Organizations are competing for the same highly skilled resources driving the scarcity of human capital in the market and setting an unrealistic expectation for those starting their careers.

The unequal access to data and decisions creates silos that significantly hamper the organization’s productivity and gets amplified as organizations grow. This is the current state; this exists in most organizations.

Take a leaf from the political process on how democracy works. Unequal access to information creates unequal access to decision-making and adversely affects how society operates. The first step is to provide people with the information that can help them understand all sides of the problem, potential solutions, and then choose the solutions that would address the most concerning issues. Everyone participates in improving society. Everyone plays a role at the same time.

Envision a capability that can bridge across these silos. All this starts with getting the foundations right. Real-time visibility across the environment — tracking all the business assets and enriching them with the data that is useful for decision making, criticality, risk, data type, regulatory scope, people, other dependencies. Everyone within the organization can gain access to the data, functionality, artifacts at the same time. People who need to know are informed about the changes as they happen to connect with others in time — having access to data, configurations, and artifacts without asking others for it. Assurance does not have to ask Engineering for the latest Architecture diagram for GDPR compliance. Engineering and Security do not need to request DevOp/SREs to get configuration details about the Cloud Environments; DevOps and Engineering do not rely on expert security advice to triage design, configuration, and production-level security concerns. Engineers get to do their threat models, view their applications, and manage their risks when ready. DevOps can view an application’s architecture, know its components, plan for performance, reliability, and availability, and perform security tasks. Security is alerted to new projects as they get started; they can automatically generate threat models and focus on high-value tasks — everyone is empowered through access to data, abstracting out complexity. Assurance, risk management, program management, and strategic planning are data-driven, all coming from a common source. There are fewer meetings, more visibility; people new to the organization can still be effective as they give access to data and functionality that makes their tasks more manageable. Things move faster, and we find peace in the chaos of the business by being one with it. Get it done with Cybersecurity Oberverability.

This is Democratizing Cloud and Security — We are perhaps bold, but this is the future.

Ahsan Mir is CEO of Rapticore, a cybersecurity startup. Ahsan has extensive experience in security operations, incident management, and leadership. He enjoys reading, trail running, climbing, and feeding birds. He can be reached on LinkedIn.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store