DevSecOps is a great goal. But let’s face it: at most organizations, it’s more like DevStopOps. App development teams are running at 100-plus mph to get new business-critical apps to users, only to have security teams slam on the brakes in search of security and compliance vulnerabilities. Agility and security end up at odds with each other, and the real culprit is the absence of an automated, unified security policy.
At Fortinet’s recent Security Summit 2021, Tufin CEO Ruvi Kitov spoke about the challenges facing today’s Chief Information Security Officers in this era of agility. There are many challenges that CISOs face, of course—an increasingly fragmented network, a shortage of security skills, a growing number of connected devices, etc.—but the biggest challenge is the perception of security as a business blocker rather than a business enabler. How did security, whose job is to stop the bad guys, end up becoming the bad guy?
The problem starts with processes. For example, it’s not uncommon for app development to put security at the end of its process. Developers design an app, build it, and only think of the security implications after, rather than treating security as an integral part of a good coding practice. But it’s not just the development process that’s broken. Even with the best security tools and segmentation technology, if it takes a week to make a change to meet an ask of the business, then the security policy process is obviously broken too.
You won’t win without automation
While I believe that automation is the answer to bridging the gap between security and agility, it’s not a simple answer. A lot of businesses are already using automation such as Ansible scripts for elements of their security but lack the network visibility to create unified security policies. So, the first step for security teams should be to take inventory of the policies they have today, measure them against their compliance requirements, and create an overarching security policy that can be applied consistently across networks, devices, and applications.
Having an overarching policy in hand allows security teams to quickly check for compliance and vulnerabilities. The reality is that DevOps won’t slow down for security. Security teams will still have to make quick decisions about who and what can access which applications. The goal should be to automate those decisions so that developers can get a quick Yes or No in minutes rather than days. It can’t be stressed enough: in a world where network complexity is expanding the business attack surface exponentially, you won’t be able to support DevOps with manual security processes. The best way to bring agility to your security posture is through security policy automation.
For security’s sake, we need to work together
One of the key points that emerged from the recent Fortinet summit was the importance of working together. We were delighted to be a part of their event, even though it’s just a small piece of our broader partnership. The Summit gave us a great opportunity to have meaningful conversations with security decision makers across industries—and, of course, with the exceptionally smart people at Fortinet who we are constantly collaborating with to ensure we can both bring the best solutions into the market.
It’s no secret that there are a lot of security solutions in the market today vying for the attention of CISOs. But it’s only by bringing these solutions together in an integrated fashion that security companies can help customers achieve their best outcomes. After all, we good guys need to stick together if we hope to beat the real bad guys.