James M. Kaplan, Partner and Co-leader, McKinsey & Company
There’s a consistent theme in enterprise technology over the past year or two–rapid and dramatic change, both in the rise of the “digital enterprise” and the need for IT to react quickly and innovate aggressively to meet business expectations for the pace of digitization. However, as IT organizations seek to support their business partners’ digital aspirations, they will create challenges for many cybersecurity organizations. In order to avoid becoming a barrier to digitization, cybersecurity teams will have to change their operating models to adopt agile practices and focus on developer experience.
CYBERSECURITY AND DIGITIZATION
Every aspect of the digital enterprise has important cybersecurity implications. As companies seek to create more digital customer experiences, they need to determine how to align fraud security, and product development organizations to design controls (e.g. authentication) that create experiences that are both convenient and secure. As companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information in one place. They must also develop solutions for incorporating security controls into analytic solutions that may not use a formal software development methodology. As companies leverage Robotic Process Automation (RPA), they must effectively manage bot credentials and make sure that “boundary cases” don’t introduce security risks.
In order to avoid becoming a barrier to digitization, cybersecurity teams will have to change their operating models to adopt agile practices and focus on developer experience
Likewise, as companies build API ecosystems for external customers, they must determine how to identify vulnerabilities created by interactions between many APIs and services, and build and enforce standards for appropriate developer access. Further, they must continue to maintain diligence in application security even as they transition from waterfall to agile application development.
CHALLENGES WITH EXISTING CYBERSECURITY MODELS
In most companies, CIOs, CISOs, and their teams have sought to establish cybersecurity as an enterprise-grade service. What does that mean? They have consolidated cybersecurity-related activities into one or a few organizations. They have tried to identify risks and compare them to enterprise-wide threat appetites to understand gaps and make better decisions about residual risks. They established enterprise-wide policies and supported them with standards. They have emphasized the importance of governance as a counterweight to individual development teams’ tendency to prioritize time-to-market and cost over risk and security. The have built security service offerings –requiring development teams to create a ticket requesting service from a central group before they can get a vulnerability scan or a penetration test.
All of these actions have proven absolutely necessary. The lack of which would have caused more cybersecurity breaches and many other violations that would have been more severe.
However, there is a basic tension between the actions above the emerging digital-analytics-agile-DevOps-cloud operating model many enterprises are seeking to adopt. As companies seek to leverage public cloud services, they often find that security is the “long pole in the tent” in setting up an application on a public cloud infrastructure. At one financial institution, development teams expressed frustration amounting to anger in the time it took the security to validate and approve incremental items in their cloud service provider’s catalog for production usage. Developers at other institutions have been frustrated by the fact that they can spin up a server in minutes, but must create a ticket and wait for weeks for the vulnerability scan required to promote their application to production. Again and again, IT organizations are finding that existing security models do not run at “cloud speed”–and are not provided with enough specialized support to developers on issues like analytics, RPA and APIs.
This has resulted in the creation of a tension between development and security teams that leads to missed business opportunities due to the delays in getting new capabilities to market. In some cases, it results in an increased vulnerability as development teams bend the rules to work around security policies and standards.
At least a few sophisticated IT organizations are starting to make the transition to an agile security operating model. In most of these cases, existing programs that are moving into an agile infrastructure have started to pull security along with them and are encouraging the adoption of agile practices. What does agile security look like?
■ Move from ticket-based to API-based interface for security services. Agile security organizations seek to automate every possible interaction so that development teams can perform vulnerability scans, adjust DLP rules, set up application security, and connect to identify and access management services via APIs.
■ Organize security teams around into scrum or scrumban teams managing developer-recognizeable services (e.g. IAM, DLP).
■ Recruit development team leads to serve as “product owners” for security services–just as business managers serve as product owners for customer journeys and customer-oriented services.
■ Explicitly manage “planned” and “unplanned” work, in order to create capacity to focus on automation and API creation.
■ Shift talent model to incorporate more E-shaped skills sets, inclusive of integrative problem solvers and automation/development skill sets, in addition to depth in security technologies.
Among analytics, RPA, agile, DevOps and cloud, enterprise IT is evolving rapidly in exciting and value-creating ways–and this evolution is causing a natural tension with existing cybersecurity operating models. While it is still early days, adopting agile security might just be the most effective means to protect the institution while also supporting the business’s and IT’s innovation aspirations.