There is a common perception of the stereotypical security professional who always says ‘no’. However, there are a growing number of security consultants who have come to approach new projects and clients with the response ‘yes - if….’. The role of the security consultant is to ensure they have assurances over what the business is doing, and to do that it’s not as clean cut as a yes or no answer.
Security has never been about holding anyone back, but rather to protect the business by enabling senior leaders to take the right risks, in order to reap the rewards. To do this, the security consultant needs to have a transparent view of the business. Then it’s about taking a layered approach, and layering your recommendations with context.
Real-time visibility of security posture
To better understand the business and its challenges, it’s critical to know what your security posture is. Without knowing where you currently are, how do you know where you are meant to go?
The traditional approach is to hire an external consultancy to compare the current security maturity to external standards such as ISO27001 or PCI-DSS. The findings will be analysed based on a time-boxed set of interviews and subset of documents, rather than what is actually in the environment. The response and analysis to which can be shaped by what the auditor perceives. This is not to discount the role of an external auditor, however in this changing climate, these audit controls need to be automated and assessments cannot wait until the next time there is funding for an external consultancy and a maturity assessment.
General controls are typically assessed from two aspects: design effectiveness and operational effectiveness. The guardrails built into your CI/CD pipeline form your design effectiveness. The operational effectiveness is where monitoring and security orchestration tools come into play. The benefit of going to cloud service providers is that there are ‘plug and play’ products that can give visibility. Stax is a perfect example of this.
Executives expect quarterly cybersecurity reports and managers spend at least a few days every month generating governance risk and compliance reports; however, this can now be reduced to an automated task that can be produced in real-time.
Automate security auditing
Security consultants are designed to be advisors, not auditors. With the shortage in cybersecurity resources, time is better spent on automating controls, not on ticking check boxes and spending countless hours generating monthly compliance and executive security reports.
Migrating to the cloud was considered to be a significant risk 10 years ago. It’s important to remember, just because you migrate to cloud platforms like AWS, does not automatically grant you all the certifications that come with AWS. It does however, give security professionals the optimal opportunity to leverage new and improved tools, build in the automated security controls and enhance visibility of their own resources.
Build in the controls, then trust and verify
Trust that your developers know what they are doing but still verify to check against human error. A good developer will want to share their learnings, learn from others and build continuous improvement into the pipeline. Your developers know the ‘ins and outs’ of the application and where it could be improved which enables the company to fine-tune their policies. Greater visibility of how to improve the code and the technology with static code analysis and runtime vulnerability management scanning, will ultimately educate the developer community.
The trusted advisor
Managers and executives need to change their expectations around what the security team is providing, moving beyond monthly reports, to see the security consultant as a ‘trusted advisor’ to inform the business of its risk, rather than simply providing a yes or no answer. And once the security consultant has a better understanding of the business, and its challenges, only then can they enable a business to take the ‘right risks’.