May 4, 20230 mins read
This is a guest post by Alex Bovee, CEO and Co-Founder of ConductorOne, an identity security company.
In today's fast-paced and ever-evolving technological landscape, building an effective security program is critical for any organization. I had the privilege of hosting Guy Podjarny, Snyk’s CEO and Co-Founder, on All Aboard, a new podcast produced by ConductorOne.
During our conversation, we talked about scaling security controls in a cloud-first environment, how to measure the success of your security program, and our predictions on how the current macroeconomic conditions will impact purchasing behavior in security.
Scaling security controls with shift left
“Shift left” gained popularity because of its efficiency. It’s a hundred times cheaper and more efficient to find the problem during development phases rather than on downstream audits. Over the past decade the pace of software adoption has changed drastically, and “the ability to keep up with software, separately, has really gone increasingly out the window,” said Guy.
Adapting to this framework wasn’t simple, but the promised boon of increased efficiencies and more agile, productive teams meant that any short term pains were worth bearing. At the end of the day, developers and leadership want to be able to build and innovate, and to do so at a rate that’s faster than the competition. It’s important for security teams to think of their responsibilities through these lens. “The best security teams see themselves as a platform,” Guy shares. “They succeed by enabling developers to build secure applications, faster.”
In security, the concept of agile development might be analogous to moving guardrails and controls closer to when users are actually making decisions. “You help them make a secure decision, or not give them the ability to make an insecure decision,” Guy explains. Security needs to find creative ways to codify their knowledge and expertise in the development pipeline and empower users to create business value.
Measuring the success of your security program
There are 3 practical ways to measure the success of your security program:
1. Through measurable KPIs (key performance indicators): What is the speed of response to an incident? How many issues found downstream were identified ahead of time? How many people or dev teams were actually engaged and successfully testing versus the ones not testing? When building your security program the way you believe is best for your organization, you need different ways to actually measure and test that it’s working.
2. Look at the outputs of security controls: How many vulnerabilities do we have? How quickly are we able to address them? Testing the output is useful because it is also a relatively easy thing to measure as a barometer of your security posture. And it’s important because if there’s no output, then there are no KPIs coming from this incident.
3. Efficacy, which is the toughest to measure yet best indicator: How well is the security program protecting against attackers? This is the hardest to measure, but the best way to do it is through external validation. How many bug boundary reports did they get? How many red teams are coming in? Or how many issues did they find? It will never be fully comprehensive — it's too expensive to be comprehensive — but it is an effective additional spot check for your most sensitive assets. It’s about reducing risk, but we also look at how we can improve developer productivity — how quickly are issues fixed?
Focusing on productivity and efficiency
Security teams are becoming developers in their own right. The “paved road” concept, popularized by Netflix, is the idea that as a platform team, you build a paved road that has all the right controls and nudge teams to follow the path laid out. Developers can go off the beaten path, but would then have to satisfy additional requirements and take on more overhead to demonstrate security and compliance on their own.
When there’s a paved road, there’s less of a chance that users will opt to go elsewhere. For modern solutions, frictionless user experience matters more and more. In identity security, for example, we’ll often see security breaches happening because of excessive authorization. Why? Because it’s painful to track, audit, and revoke privileges across the organization. As a result, privileges and credentials remain floating in the ether. I co-founded ConductorOne to address this pain, one I witnessed first hand working in Security Products over the last decade.
Today’s current macroeconomic conditions also guarantee that there will be a clash between a top-down push for consolidation vs. efficiency and cost reduction, the latter of which is inherently biased towards decentralization. Guy says, “I think 2023 is a year for sobriety for a lot of places.”
Demonstrating value from a risk reduction standpoint, as well as showing how a solution helps to improve productivity will now be an even more critical component of the buying decision. Tools built for practicality and that can do or integrate more with less will be favored.
Circling back to the earlier topic around measurement and the lack of established benchmarks, Guy remarks, “There continues to be a lot of subjective room in the security industry, more so than many others. Sometimes people get it right, sometimes not. But now we’re all forced to think about it hard enough. And that’s a healthy trend.”