Organizations are focused on the wrong thing when it comes to security operations
Effective plans start with a goal. For security and operations, compliance isn't that goal.
Compliance prioritizes a static point in time
Most organizations treat the compliance audit date, after months of work and hours with auditors and consultants, as the destination. It isn't, though. A compliance certification only means at a set, pre-planned point in time, everything is right. You can be out of compliance 5 minutes before the audit and out of compliance 5 minutes after. Neither changes the fact that you have received a rating of being compliant.
This has a tremendous downside. Compliance creates a false sense of confidence for the future. When I say false, I mean unfounded. The compliance deadline becomes the goal instead of day to day operations, making you vulnerable. Without the right operations, the moment you add a new employee or deploy a new resource, you no longer know if you are secure.
When it comes to security operations, compliance asks the question, "can I check the box, now?" It's a single data point. Checking the box now doesn't mean anything for an hour from now. It's like installing a home security system. If you turned it on yesterday, great. Did you turn it on today? Can you turn it on tomorrow?
What matters is persistence
When it comes to security, your objective should be persistence. Knowing your security operations are sound and being able to quickly prove it. There should be a consistency for how you assess and manage your infrastructure. You should know your digital environment inside-out. Events that transpire outside of the organization are unpredictable but persistence in your security operations means you will be able to detect a threat or intrusion quickly. Simple, right?
Unfortunately, persistence is hard. It's why most organizations race the sprint to compliance. Just think about how quickly your digital environment can go from manageable to unmanageable. Complexity grows in multiples. A single new user means another machine, more assets, more accounts and more resources. Adding multiple employees across multiple divisions compounds the issue, but it doesn't make it any less critical.
Ok. Compliance is not, not important
You caught me. Compliance does have a place. An independent auditor evaluating your process is a good gauge of knowing how you are doing, free from bias. This process, though, should be treated as a minimum standard of expectations, not a goal or overachievement.
Instead, imagine your compliance audit is scheduled like the cable company." We will be there between the 1st and the 30th of the month during the hours of 6 AM and 11 PM, please be available." While the audit may still take just a few days, your organization will need operations to be alive and well for a sustained period for when the "we are on our way" call comes in.
To take it to another level: move towards treating security operations like a compliance audit could be done at random. When you think about it, this actually isn't too far-fetched. If your largest customer makes a push to have all vendors SOC 2 certified or an enterprise prospect asks to see how you handle the data you are ingesting, you are immediately on the spot for a makeshift audit. If your day to day operations are sound and your ability to produce evidence is simple, you can quickly and confidently move forward.
Persistence comes from assurance
The only way to be confident you are taking the right actions when it comes to maintaining a high standard of security operations is your ability to self-check and validate. Being able to prove that you are certain, and not just think you are certain.
At JupiterOne, we call this security assurance: the ability identify what is happening in your environment at anytime, without the extra resources you are able to pull during an audit.
In theory, this makes sense to a lot of organizations. In practice, the time doesn't exist. The teams are strapped. IT, Security and DevOps teams are focused on a lot of other demands that are time-sensitive. That means proactive tasks, even critical ones like those tied to cloud security and compliance, are going to be moved to the back burner.
When you look at an organization's technology stack, even just their security stack, there are dozens of tools operating in silos. Silos mean precious time is spent logging in and out. Running and consolidating reports. Looking for actionable steps. Silos mean oversights are rampant. It's unmanageable.
So our teams are strapped and the technology isn't helping. How do you reach security assurance?
Security assurance comes from simplicity
Think about a vast plain versus a mountain range. Which is easier to identify a change in the landscape? Mountains of complexity can hide vulnerabilities and anomalies in behavior while a simple landscape makes it easy to detect any noteworthy change. Quickly.
Having dozens of tools and thousands of alerts to navigate is hardly going to improve your organization's ability to respond and remediate threats. In fact, most organizations find as their security stack grows in complexity, their overhead also increases to manage the complexity. Things become unmanageable. It's a vicious cycle that doesn't change the fact that security breaches, and their impacts, are increasing.
When you prioritize your ability to better understand your environment, more easily identify and remediate vulnerabilities over adding best in class tools, you'll find that your growing environment remains manageable for your IT, security and DevOps teams. You will also see that your production cycles stay short, and still secure.
When you prioritize simplicity in your security toolkit, compliance comes easy.
Happy Security from JupiterOne
P.S.
We at JupiterOne love security. We also love our compliance auditors and assessors. Living security with a DevSecOps culture can keep your employees, users and customers safe, as well as make your assessor's life easier. Compliance is important...it just isn't the end goal.
Simplify operations and achieve security assurance with JupiterOne.
