Driving change at scale: What will keep CISOs busy in 2021?
As nations around the world grappled with global health risks in 2020, businesses — including ours — responded to the emergency with ad-hoc work-at-home arrangements to keep employees both safe and productive. That abrupt shift put the added strain on CIOs, CTOs and CISOs to ensure that employees could access the full set of services and applications needed to do their jobs securely (from wherever they’re working).
Heading into 2021, companies now need to ensure that those improvised changes to infrastructure and process are both resilient and secure — while continuing to press forward on other transformation initiatives.
To get the security leader’s point of view on which security issues will demand CISO, CIO and CTO attention in 2021, I chatted with our own Zane Lackey about how businesses will continue to re-think workflow and re-architect infrastructure in 2021.
“Because of the pandemic, organizations unexpectedly shifted priorities, and that revealed parts of their processes that needed to scale,” he says. “They stepped on the gas of digital transformation—projects that were on a five-year time horizon got compressed into eight months.”
As the former CISO at Etsy and then Signal Sciences, Zane is familiar with having to adjust to rapid technology and business shifts. Indeed, he notes that companies frequently find themselves having to play catch up with their infrastructure.
“We often fight huge battles to get something established and working, and then it’s time to go back and see what part of the process was just totally papered over.”
The full conversation follows.
Q: How is the move to remote work impacting apps and APIs?
Zane: There is much more focus on digital transformation and zero-trust architectures, especially the need for continuous monitoring of applications and APIs. If you typically protected internal apps with physical appliances and then your apps suddenly had to shift to the cloud to accommodate remote workers, you need to find a new approach to protecting those apps.
As you scramble to bring all these technologies online and your business into the cloud, it’s almost certain that your development teams are bringing in new technologies for their use. So, having defensive technologies that work with any of those architectures becomes critical. You may have gone from a big monolith Java app in a data center – and you may still have that – but you also have a bunch of new ones running in the cloud, in containers, and in serverless environments. Now you need technology that can uniformly protect all of that.
The obvious challenge has been scale, both in terms of company process and technology. This is something that’s burned me multiple times in my career. You have something that’s working pretty well — whether it’s a specific detection rule or software tool — and you had it on your mental roadmap to replace it in a few years. But you just didn’t want to tackle that project right now. And then suddenly you have a burst of scale that the tool can’t handle, and it completely falls over. Now, something that was always project #7 on the to-do list suddenly has to become project #1.
The COVID-sparked migration to digital and remote services has revealed plenty of those situations. A lot of customers have had to suddenly rip out legacy systems because they didn’t scale, and they needed something in their place that scaled to support the 10x or 100x increase in traffic they saw almost overnight.
Q: As companies scale infrastructure, what challenges do they face?
Zane: There are two dimensions to this. There’s scale in terms of volume. If you’re a news site, where everyone’s refreshing the news all day, your traffic volumes are going up 100 times. But the other kind of scale is horizontal — the number of technology platforms. If you’re a CISO, you have to deal with shifts in traffic due to COVID and work-from-home. That means shifting from technologies that were only built for one level of traffic to technologies that won’t fall over when there are massive bursts.
Each company approaches the challenge of scale and questions of internal versus external differently. Some just didn’t know how to do anything remotely. Others may have been 24 months into a transformation, and so they were able to push their digitization projects forward quickly.
Change in visibility is also a challenge for companies as they go forward. Visibility is especially important now because no one’s working in the same room anymore. You used to have cobbled-together visibility that you would get naturally from just being in the office. Now, we’re all sitting in our own rooms, and we’re not over-hearing anything from other departments. We’re missing the water-cooler chatter that will often lead to awareness about new projects. From a security perspective, companies need to quickly move past legacy technologies that have limited visibility or that are siloed to security teams. Instead, they need security software that gives them visibility across the organization, allowing developers and IT and security teams to collaborate and see what’s going on together.
Q: How are these shifts impacting how we think about APIs and app development?
Zane: There is a much greater focus on APIs. All of these mobile apps have suddenly become indispensable and APIs power them. For example, think about a store with curbside pickup and delivery. APIs are required for so many components: APIs for mobile ordering. APIs for partners to check on inventories. APIs for keeping track of the status of the order, from the warehouse or store to the curb. And you need to be able to get reliable data 50 times a day because things are flying off the shelves. Those are the areas where APIs are now critical.
The problem with APIs is that they were often an afterthought for both product and security teams. They were hard to test. Companies need to recalibrate their strategy to map to the increased importance of APIs. It’s now vital to security strategy.
Q. How are these shifts impacting the relationship between engineering and security organizations?
Zane: The truth is this relationship was, more often than not in most large enterprises, quite political and difficult. Security would struggle to get buy in with app teams because often whenever they brought in new security technologies, the tools would break the apps or APIs that the dev teams were building. And now, app developers are not even seeing the security team in the office anymore. Unless you’re in a highly regulated industry where you can’t ignore security for legal reasons, the reality is: It’s never been easier to ignore security – especially if it isn’t providing value. It’s one thing to try to say “no” if everyone is in the office. It’s another thing to try to say “no” to a remote team working on a project.
The key takeaway is that security cannot just rely on a ‘because-I-said-so’ approach. It has to provide value. It needs to provide technologies that support modern application and development architectures. It needs to provide visibility. If you’re a CISO, make sure that you’re modernizing security platforms or aligning tools with DevOps and the rest of the business. This is a chance to step up.