Lately, I've been feeling like the direction of our industry—cybersecurity—has taken a severely wrong turn somewhere on the journey to securing businesses. If you're a business delivering value to people, the fundamental priority should be to secure the operations of the business. Remember the CIA triad? Ya know, Confidentiality, Integrity, and Availability aren't just concepts we learned in school—they’re the foundation of everything we do. Every employee plays a role in achieving these three critical pillars of information security. Whether it's protecting physical data centers from catching fire or preventing unauthorized personnel access, software / cyber systems must also be designed with the CIA triad in mind. If your systems become unavailable because of code failures or ransomware attacks, what's the plan to restore operations? I can't help but wonder: Have we lost sight of these principles in the rush to adopt the latest tools and trends? What’s your take on how we can realign our focus and ensure our foundational security measures are rock-solid?
You took me all the way back to Freshman year with bringing back the core principle of the CIA triad - It’s certainly lost its esteem in todays rapidly scaling environments. Infrastructure, Reliability, DevSecOps teams are key to this. Why investment in this area is not on the critical path for business decisions and product vision is probably all due to where the money mostly flows these days.
While I don’t disagree, I’d love your perspective on why you think we’ve lost sight. What artifacts do you point to as the product of a failed mission?
The world has taken a risk driven approach. In order to enforce governance, companies need to automate. Automation comes from tools, but a tool is just a tool. The problem is that the actual approach is summarized by Risk Driven Approach -> Tools, nobody cares about the people, PROCESS, technology approach anymore. Back to basics?
tagged to return
Dev[Sec]Ops Transformation Architect at Contrast Security
3moI don't think we've lost sight of CIA so much as we've absorbed them into other lower level concepts. I was in a meeting yesterday where the CISO's entire presentation was centered on CIA. I think for DevSecOps though, the key is all about rapid, contextual feedback to the developers to get rapid resolution and shorten the risk window. Most organizations I speak with struggle with this. They have ever-growing inventories of open vulnerabilities and vulns stay open something like 200 days on average. I'd much rather us get to 1-day resolution of the most critical ones and ignore the rest until that's cultural. Then expand to lower severities.