What Does Digital Transformation Mean for Security and Compliance?

by

 I recently attended the Gartner Symposium ITXpo in Orlando, with nearly 10,000 other CIOs and IT leaders. It was an exciting week with conversations concentrated around the future of technology, advancement in healthcare, machine learning, augmented intelligence, cybersecurity and privacy.

Most strikingly, in each session and in nearly every individual conversation I had, there was a running, consistent theme: Digital Transformation.

No matter the size, scope or industry of their organization, nearly every individual I talked to at the event was either already embarking on or planning for the journey of digital transformation. This even included people from departments in the public sector that have been especially inundated with legacy systems and processes.

At its core, Digital Transformation is a mindset. It's about transforming process and culture. The transformation is fueled by the adoption of Cloud, DevOps and Automation. It is a shift from centralized systems, waterfall development and functional teams to distributed computing, agility and shared responsibilities.

digital transformation visualized

Why? The why that drives the decision to tackle such a large, complex change should be substantial. It should be impactful. Why do established, profitable organizations invest millions of dollars and thousands of hours into a painful change that seemingly leaves them exactly where they were when they set out? Because of where it allows them to go with the most important measurable outcome: the customer experience (both internal and external).

With digital transformation ...

  • External customers experience better products, faster.
  • Internal customers (employee and developer) experience the freedom to work anywhere on any device, to choose the best tools, empowering them to experiment, fail fast and innovate.

That is why digital transformation matters.

So, what does this mean for the security and compliance industry? Where are we in our digital transformation journey? Security was built on the concept of walls (layers of defense), stringent processes, separation of duties and the confinement of systems and restrictions to users. It is the anti-customer experience.

My week at the Gartner conference reminded me of my first-hand experience at Fidelity Investments. I was the head of software security for Personal Investing, an organization within Fidelity that had gone through a massive transformation to become a digital technology company first, and a financial services firm second. Personal Investing was obsessed with better customer experience, and wanted to compete with the Fintech disruptions. As part of the transformation, we started distributing the responsibilities of security. We moved the task of security from a wholly centralized enterprise functional team, to the technology organization within the business unit, and then eventually to each individual scrum team. We started "digitalizing" security control points, traditionally enforced by people and process, into code via automation.

Security and compliance need a digital transformation. But how do we accomplish this?

Keep it simple. Keep it open. Keep it going.

Simple

You don't need a large number of commercial tools and solutions, an army of consultants or an encyclopedia-worth of manual processes to build a complete and sound security operations and compliance program.

First, assess what you do have and focus there.

  • If you are using AWS, G Suite, GCP or Azure, you likely already have a good set of cloud-native controls at your disposal, including capabilities like single sign on (SSO) and multi-factor authentication (MFA).
  • Or the Config and GuardDuty services in AWS.
  • And of course, the correct usage and configurations of your VPCs and Subnets, Security Group rules, and IAM policies.

Next, look for gaps.

  • There is plenty of good open source software you can adopt and integrate. For example, you can use `npm audit` to scan the open source dependencies in your javascript code and identify security vulnerabilities.
  • Or `OSSEC` for host-based intrusion detection.
  • Or `osquery` to easily instrument your user endpoints for visibility and configuration compliance.

Remember, the goal is to make your security controls work efficiently and effectively together, not to buy the best out-of-the-box product.

Every time you add a tool, you introduce new complexity and cost (both in resources and time). This increases the likelihood of new gaps and risks in your overall security posture.

Complexity makes it easy for attackers to hide their tracks. Simplicity makes it easy for you to spot them.

Open

You want to embrace a culture of transparency in your organization, where security policies and operations are discussed and enforced openly rather than behind closed doors among just the security team. You want your entire technical and engineering team to have direct visibility of security events, alerts and vulnerabilities so that they can more effectively help with remediation. Otherwise, security teams are just "in the way" of security.

You want to engage your users, not distance them. You want to empower your users to help you in the effort to maintain security, not turn them against you.

Your security policies should be easy to understand for anyone in the organization, and the procedures should be simple to follow. Find ways to say "yes" to user requests of access to technology and applications. This keeps the requests front and center and the organization innovating. Saying no too often leads to your users actively avoiding you in the process or finding ways to bypass the controls that you thought were protecting them.

Embracing openness also means you should get external, crowd-sourced help. For example, you can have a responsible disclosure or bug bounty program so that users and white hat hackers can proactively and responsibly inform you of any security findings before they become a breach. This is almost more valuable than typical once-a-year external penetration testing.

Ongoing

Being secure at one point in time only matters for that point in time. It means nothing for your organization's future. The goal, instead, should be a reliable, scalable, on-going security operation. To do that, you must rely on automation to build security into your DevOps pipeline and your business processes, and to continuously monitor and instrument your environments and controls.

In a digital organization, changes are quick and constant. If your security operations cannot keep up, they go from being gatekeepers to bottlenecks and quickly get left behind, pushed aside or simply forgotten.

Security operations, very much like agile development, need to iterate and continuously improve.

Simple, open, continuous.
Now, that's how digital security is supposed to be.

This is how we built the security and compliance program at LifeOmic, a digital-born, cloud-native technology company. We take a data centric approach to managing risk and information security. For example, we leverage technologies like multi-factor authentication and the assume-role capability in AWS to establish on-demand temporary access. We develop lots of automation to create an immutable deployment pipeline with automated change approvals. We rely on the ephemeral nature of cloud resources to constantly keep our environments up to date while dramatically reducing the possibility of persisted attacks and limiting the blast radius.

Modern Cybersecurity Manifesto

The process was eye opening. The whole industry needs to wise up to the idea that it isn't about the tools or the rules or frameworks. It's the mindset that matters. The mindset is what can drag an organization to a halt when they could be accelerating.

This became our own modern cybersecurity manifesto: https://securitymanifesto.net.

Manifesto for Modern Cyber Security

You can check out more details of the top ten principles of our security architecture and operating model on our website: https://lifeomic.com/security.

  • Assume compromise; but expose no single point of compromise.
  • Track everything since you cannot protect what you can't see.
  • Engage everyone for there is power in the crowd; two is stronger than one.
  • Automation is key because people don't scale and changes are constant.
  • Build products that are secure by design and secure by default.
  • Favor transparency over obscurity, practicality over process, and usability over complexity.

We used this mindset and operating model at LifeOmic. With the model in place, combined with the automation that we built, we achieved base compliance in a mere three months and received a higher level of certification six months later. That is digital transformation for the security industry.

We did not stop there. We want other technology organizations and digital teams to experience security and compliance the way we have. Earlier this year, we released JupiterOne, aimed at simplifying digital security, by providing continuous instrumentation and monitoring of cloud environments and controls, as well as automated reporting and evidence collection for compliance.

We use JupiterOne as a single source of truth, a place where data is continuously ingested and consolidated, for anyone on our team to ask simple questions and get the right answers back about our digital environments, resources and controls.

Again — Simple, Open, Continuous — that’s how digital security is supposed to be. (aka the SOC for modern cybersecurity)

The digital transformation is coming. Are you ready?

Erkang Zheng
Erkang Zheng

I founded JupiterOne because I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.

We are building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.

I am the Founder and CEO of JupiterOne, and also a cybersecurity practitioner  with 20+ years experience across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.