By Bobbie Stempfley, VP and Business Unit Security Officer, Dell Technologies
Even in a world where the value of cybersecurity is unassailable, certain paradoxes persist. For example, being transparent with both employees and end users about data management policies is a core component of digital trust. But too much transparency can be an impediment to information security —it can give not only users, but also bad actors valuable insight into an organization’s inner workings.
Such conundrums aren’t new—many have been challenges in the industry for 20 years. But recently, the proliferation of tech into every corner of life and business paired with the move to software-defined everything has made them more prominent.
According to Dell’s Innovation Index, which polled 6,600 decision makers from over 45 locations, only 41% say that security is embedded into their technology. Unraveling the confusion around the complexities of the modern computing environment and evolving threat landscape may help organizational leaders understand how to create a resilient framework.
Security paradoxes are marked by a set of underlying assumptions, five of which I’ve spent time musing over as Vice President and Business Unit Security Officer at Dell Technologies. Below is a synopsis of these assumptions and how both IT and business leaders can begin facing these gordian knots.
#1: Security vs. innovation
Perhaps the most common assumption is that security and innovation are at odds with one another.
The current technology landscape is riddled with “security debt.” We’ve rapidly produced technology without building security into the foundation. Leaders in this field have pushed “Shift Left” programs, building security in and making it intrinsic to the products, not bolting it on retroactively. While this has made a difference, tensions still exist, and innovators and security practitioners often are at odds.
For example, it often seems IT cybersecurity decision-makers always say no to innovation and view it as too risky. Security standards are a related area of contention, with product and design teams often viewing security as a hurdle to overcome in pursuit of their innovation goals.
This is a false choice. In fact, Innovators are 1.3 times more likely to say they are prepared for cyber threats, according to Dell’s Innovation Index. Standards are an important safeguard that reduce risk. Arguably, they enable innovation—by, for instance, taking rote tasks off the table and allowing teams to innovate at levels higher up the stack.
#2: The software defined-everything future is here vs. software’s inherent vulnerability
Software-defined solutions enable IT decision-makers to have flexibility when defining or redefining environments as needed—and as the larger technology landscape evolves. But of course, with more software comes more opportunity for security vulnerabilities creating risks throughout the enterprise.
This evolving threat landscape reinforces the motivation to introduce security considerations and make meaningful evaluations in the earliest stages of design. The agility and innovations that are available in a software-driven world create opportunities that weren’t previously available, when we can model systems before building them out and can highlight and correct security weaknesses before a product or feature’s release. And can more rapidly adapt environments to the threats as they emerge.
#3: Boundaries vs. “perimeterless” security
There’s a good deal of confusion about how to define boundaries in a supposedly boundless world—when in fact, enterprise boundaries consist of countless smaller entities, both internally and externally.
Zero trust is a key response to this reality. This security framework requires there be no implicit trust granted to assets or user accounts based solely on their physical or network location. While this is sometimes called a “perimeterless” approach, the truth is its very foundation is predicated upon hundreds of thousands of small-scale boundaries.
#4: Security compliance vs. risk management
The traditional security maturation cycle starts with compliance—you define the rules and then measure people’s compliance against those parameters. Today, we’re moving toward an enterprise risk-management model that encourages organizations to intimately understand their risks and respond accordingly. The paradox is that a lack of negative outcomes is not necessarily indicative of a good risk management program; and conversely just because there is a security issue, you can’t assume a bad risk management decision was made.
Put in a different context: You go to the doctor to get the best medical advice, and you make the best decisions you can with that guidance. But simply being proactive doesn’t mean you’re guaranteed to stay healthy. In security, when a negative outcome occurs, it means you have to examine contributing factors and connect dots. It’s easy to assume that a security issue is indicative to a weak compliance framework, and while there is certainly a hygiene component – there is more nuance than that. Hygiene is first, but there’s also a reaction and a resilience element—and they’re critical.
Adopting a resilient approach to security means preparing for threats but also ensuring the ability to recover quickly. Having the infrastructure, incident response plan and training in place will create a path forward so that if operations are disturbed, they can recover as soon as possible.
#5: Responsibility for one vs. culpability of all
In a world that requires risk management, it’s become crucial to have a strategy that outlines clear ownership and responsibility for roles to mitigate and recover from threats. More and more in the cybersecurity industry, we hear talk of organizations being “responsible for themselves” and their own safeguards. But in truth, every company is a tech company these days, and as such, we are all interconnected.
While there is never a zero-risk scenario, it’s necessary for companies to hold themselves accountable on an individual level because, in reality, security is a team sport. One key to success is having a thorough knowledge of all assets in your environment. Getting the complete picture is of utmost importance for protection and resilience.
At Dell, when thinking about the collective versus the individual, we understand that it’s not just about our customers and the kinds of technologies we provide—we have an obligation to ensure the tech we create doesn’t represent risks. One key thing we do when analyzing risk is to account for the human factor. By stepping back and thinking more about the people who use our technology, we can become more secure.
Security paradoxes will only continue to grow in emphasis—and impact—as technology and IT environments rapidly evolve. Many of them fall under one fallacious umbrella: The idea that security is a “solvable” problem. In truth, security is inherently made up of competing concepts that need to be worked through versus simply solved for.
There is rarely a single answer to some of its more pressing conundrums. Adopting a resilient mindset versus one of protecting, detecting and responding just may be the mentality and cultural shift needed to fuel further progress.