Skip to main content

Scaling your security team without hiring

Written by:
wordpress-sync/feature-cloud-security-1

November 2, 2022

0 mins read

The cybersecurity industry’s current struggle — to close a significant gap between the numbers of job openings and qualified candidates — began years before the coronavirus pandemic sparked the Great Resignation. Today, (ISC)² reports a global cybersecurity workforce gap of 2.7 million people.

The pandemic did compel enterprises to accelerate their migration of applications to the cloud, increasing the challenge for already-overwhelmed security teams. But that doesn’t mean companies should try to meet the increasing demand and usage of cloud by scaling headcount. Instead, the priority should be to implement security process automation based on policy as code to address the growing needs and complexity of cloud use.

A new security paradigm

To understand why hiring more cybersecurity personnel isn’t the solution, it’s important to realize just how radically (and permanently) the cloud has transformed IT security.

When organizations start using the cloud, they’re not going to reverse course and go back to the days of housing the bulk of their IT infrastructure in a data center. The business benefits offered by the cloud are too great to revert back to that model. So companies will continue migrating more applications to the cloud, spinning up third-party applications on the cloud, and building and running new applications in cloud-native environments. As they continue to scale their cloud infrastructures, the complexity of those environments will increase.

Unsurprisingly, the demand for information security engineers and cloud engineers is high and rising. But even at organizations with unlimited budgets, there's a key reason that it doesn’t make sense to keep scaling security headcount: the responsibility for securing the cloud does not rest solely on the IT security team.

Sharing security responsibilities

When developers build applications in the cloud, they’re also building the infrastructure for those applications, rather than buying a pile of infrastructure and shoving apps into it. Cloud infrastructure is built with code, which means developers own the process. In other words, security is now a shared responsibility — not just between an enterprise and its cloud providers, but also within the organization. Cloud engineers are increasingly taking ownership over the security of their cloud environment.

This is an opportunity for security teams. The security team can now serve as domain experts, empowering developers with tooling based on the right policies to check security pre-deployment. This will speed up development and decrease the number of misconfigurations in the cloud environment. Security teams can do this by using policy as code (PaC) at the development phase, in the continuous integration/continuous delivery (CI/CD) pipeline, and at runtime.

What is policy as code?

Policy as code enables security teams to express security and compliance rules in a programming language that an application can use to check the correctness of configurations. No manual intervention is required. The application automatically checks other code and running environments for misconfigurations and other unwanted conditions. This empowers all cloud stakeholders to operate securely, without disagreement over rules and how they should be applied within the software development life cycle (SDLC).

While security challenges are the same for all companies operating in the cloud, as the saying goes: the devil is in the details. Fast-growing startups might have to demonstrate SOC 2 compliance, while large financial services organizations must comply with SPCI, NIST 800-53, and ISO 27001. PaC can help organizations harden their cloud security posture and demonstrate compliance with applicable standards, laws, and regulations. Additionally, PaC is very helpful for showing the state of the security of a cloud environment to any interested parties (management, board members, customers, auditors, etc.).

PaC is the only way to effectively support multiple business units — and their myriad use cases and local policy requirements — without slowing them down. A good place to start is with Open Policy Agent (OPA), a Cloud Native Computing Foundation (CNCF) project used by a growing number of major enterprises.

While there are a number of vendor-proprietary solutions, they tend to be very specific to certain applications or use cases. Standardizing on a flexible open source solution such as Open Policy Agent lets you apply PaC and its single source of truth to a wider range of use cases (for example, governing Kubernetes transactions or checking a running cloud environment for vulnerabilities). This enables security teams to write one security or compliance policy and apply it everywhere. It also empowers other teams to apply that policy to whatever work they’re doing.

Mitigating human fallibility

If your security policies exist solely in human language in a PDF, spreadsheet, or binder, they might as well not exist at all in terms of having a single source of truth. You cannot expect any human to memorize multiple different policies and automatically understand how to apply them. It takes time to review policies manually, and the risk of human error is always present. Each person who reads a policy might interpret it differently, leading to confusion and inefficiency.

An application will accurately interpret a policy the same way every time in milliseconds. If a security policy needs to change from one deployment to the next, you can express that exception as code, so everything is well-documented. When you implement automation through PaC, problems are fixed in the code editor before they go into production.

You certainly should hire security professionals with expertise in securing cloud environments. But taking that step alone won’t address the growing security risk inherent to cloud adoption. With a holistic approach to cloud security that helps software engineers develop secure cloud infrastructure, prevents misconfiguration in deployment, and is built on a consistent and scalable foundation of policy as code, enterprises can safely scale their use of the cloud.

wordpress-sync/feature-cloud-security-1

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.