It’s time to rethink classic approaches to security, and build a playbook that ensures safety and success.
Ask any football player, watch any game — the offense of a team lives and dies with its offensive line. The line gives decision-makers time to make smart decisions against oncoming threats, which paves the path for the team to move forward.
In a world that moves lightning fast, holistic security is at the heart of an enterprise’s speed offense: the security team is the company’s offensive line — one that requires the awareness, focus, and flexibility to address threats. Not only does a versatile, cloud-native security team give leaders the breathing room to make decisions, but it also opens lanes for continuous innovation and deployment.
Just as offensive lineman are often first-round draft picks or frequently receive huge contracts, an organization needs to allocate meaningful budget and resources to security.
I’d love to say the Equifax hack was a wakeup call. But attacks at this scale have happened before and will continue to happen again as long as an old-school security approach continues. Everyone, from the CEO to the security team to the engineers, needs to be aligned on the playbook that needs to be used — so here are some tips from my playbook that might help you avoid a crushing defeat.
Know your weaknesses
The biggest risk to enterprise is legacy infrastructure and a legacy mindset. If a company wants to succeed, the whole team must make it a priority to replatform onto a modern, flexible system in a cloud-native approach. If you keep pushing off and avoid dealing with old configurations, you’re going to get caught.
Create a supporting environment
Just as offensive lineman are often first-round draft picks or frequently receive huge contracts, an organization needs to allocate meaningful budget and resources to security. Keep in mind too that wrong-spotting is easy and often disproportionately weighed when evaluating a security team’s performance, so draft a security team you will place your faith in and will trust to clean up mistakes when they occur. And if you can’t find enough talent for your home field, put your trust in strategic partners that will give you the right technology and people to propel you forward.
Make sure the team has the right fundamentals
Once your security team is drafted, don’t keep them — or their mentality — isolated. Just as running backs, tight ends, and wide receivers are often asked to block, every group in your organization needs to understand the importance of security. This is why a balanced team approach to software, with embedded security experts, will keep an organization more protected. Security can’t be handed off or pieced together, it has to have a foundational philosophy that can guide everyone on the team.
Get smart, go modern
You have to replace your outdated tech. A lot of outdated tech that relies on old software can be just the crack an attacker needs. Chromebooks are a good example of newer laptops that are immune from traditional viruses. Chromebooks are better because they patch and repair themselves automatically. These updates essentially repave the laptop frequently. They are simple, so they have a reduced attack surface area, and they are strongly opinionated about the types of applications they will run. Working in a new, modern way means you’ll be working in a way that’s more secure.
Keep them guessing
It all happens at the line of scrimmage (or in this case, production), that’s where you can keep attackers guessing — by calling the right audibles. Say a credential leaks. Well, what if you had a service that updated all your credentials automatically multiple times a day? Meaning that leak would only be good for a window of a few minutes. This limits the amount of time bad actors have in your system and the damage they can do.
Think long-term
Society believed horses were a great mode of transportation 150 years ago; and we were resigned to expect a number of fatalities involving horses. Every other week, I fly across the country on a 757 that barrels through the sky. We didn’t go from horseback to 757s by incrementally strapping wings and motors onto Seabiscuit. There was a wholesale replacement that happened over decades, and society greatly benefited. Great organizations, whether it’s Ford or the Patriots, think about the long term goals.
A postgame interview on Equifax
We will only learn so much from public hearings or trials in which Equifax participates. We’ll likely never hear the full details, because the problems are rooted in the company’s culture. And while blaming can be satisfying, and making fun of it can be hilarious, these attitudes ignore the pervasive avoidance and excessive caution that keeps most enterprise security teams 10 years behind the times. Security teams at older enterprise companies are constantly fighting a losing battle, constantly hearing “no” and not getting the resources they need.
Let’s imagine Equifax two years from now. I guarantee that security will have greater clout and respect, which will be seen in personnel shifts, modern technology, and new playbooks. But this can only happen if the team there builds a great offensive line — one that’s willing to take everything the opposing forces will throw at it, and one that will passionately work toward ‘touchdowns,’ even when they are ostensibly impossible.
Change is the only constant, so individuals, institutions, and businesses must be Built to Adapt. At Pivotal, we believe change should be expected, embraced and incorporated continuously through development and innovation, because good software is never finished.
Security: The Offensive Line of Enterprise was originally published in Built to Adapt on Medium, where people are continuing the conversation by highlighting and responding to this story.