Security Teams Need a Higher Appetite for Risk
Prisma Cloud from Palo Alto Networks sponsored this podcast.
Security teams need a higher appetite for risk. While accepting, and even embracing risk is widely accepted outside the sphere of IT, risk also often plays a role in DevOps operations, developer and SRE team culture. However, security teams typically have yet to accept and manage risk in this way.
This edition of The New Stack Makers podcast, hosted by Alex Williams, founder and publisher of The New Stack, previews our upcoming ebook, The Best of DevSecOps: Trends in Cloud Native Security Practices, with a discussion on how and why security teams need to rethink risk, with the aim of improving resiliency and achieving other benefits that thus far have remained elusive for many organizations.
Featured guests are all contributing authors in the ebook: Matt Chiodi, chief security officer of Public Cloud at Palo Alto Networks, Meera Rao, senior director of product management, Synopsys and Tal Klein, chief marketing officer, Rezilion.
Currently, organizations typically issue and assign a job ticket to fix a vulnerability once discovered, Klein noted, without knowing whether the “vulnerability actually represents risk or not.”
“I think that until we get over that fact, and build infrastructure that can withstand an attempted breach and without having to worry about whether there’s a vulnerability or a zero-day or any of these things in our code, and just say, ‘look, it’s up there, it’s running — if something goes wrong, we’ll bring it back to last known good,’” said Klein. “And until we’re accepting that risk appetite, and become more like insurance company actuaries rather than sort of like the U.S. Marines first lines of defense, we’re going to remain in this weird sort of limbo when it comes to security and DevOps.”
The resilience factor also plays a huge role in how DevSecOps teams can change their risk-assessment and risk-management cultures. In this way, resilience can mean that software has fewer likelihoods of having defects, Rao explained.
“So, when we say defects, does it mean just quality? Or does it mean security?” said Rao. “In our case, I think it’s both: the fewer quality, as well as security, defects [your software has], the more resilient your software is. And whether you’re using DevOps practices, or whether you’re using SREs, one of the goals is to build better software with high quality and security, which, in turn, translates into more resilient software.”
On the surface, a higher level of risk appetite may seem “like an oxymoron, because most security teams would say ‘our job is to do the opposite: to help manage, and where we can, reduce risk in the organization,’” said Chiodi.
Specific steps security teams can take to better manage risk is to access “seven or eight different metrics that organizations can look at that both focus on effectiveness and efficiency,” said Chiodi.
“I think if security teams have that confidence, that they’re looking at the right metrics, they can develop that trust and that appetite around, ‘O.K., let’s go faster, because we’ve got this built-in, kind of early-warning systems to know if something might happen,’” said Chiodi. “‘We’re not waiting until there’s a vulnerability — we’re actually proactively looking and tracking these things on an ongoing basis.’”