Work-Bench Snapshot: Augmenting Streaming and Batch Processing Workflows
The Work-Bench Snapshot Series explores the top people, blogs, videos, and more, shaping the enterprise on a particular topic we’re looking at from an investment standpoint.
As ransomware and major vulnerabilities run rampant, security has remained a high priority for organizations even during the recent downturn. Looking at the data, global businesses ranked cyber incidents as their top risk in 2022 as a record breaking number of global cyber attacks hit last year, including numerous high profile incidents like the Log4j vulnerability. Now, Boards are scared of what a high-profile attack could do to their bottom line, so budgets continue to expand for needed security precautions and thoughtful security programs.
Frequent cyber attacks coupled with the security industry’s last few years of growing pains - the transition to working from home (outside the established safety of the corporate office), the rising complexity of distributed teams, and the growing infrastructure stack - has put mounting pressure on security organizations.
However, all that weight shouldn’t rest solely on the security teams’ shoulders. In fact nowadays, the most challenging part of security isn’t convincing people they need security, but providing actionable guidance on how to be secure. To do that, everyone in an organization, not only the security team, needs context and data about how to make the right decisions. Security teams can help provide that.
The concept of the weakest link isn’t new in security. In weak link systems, like soccer, if you want to build a great team, what matters is the strength of your worst player. It’s not enough to have one or two superstars because everybody’s actions have an impact on the final score.
Therefore, it's important for security organizations to communicate and rely on all of its stakeholders. This is how you instill a better security culture across the company and also provide clarity upwards for executives and governance boards on how the security program is performing.
Unfortunately, the tools that we have to do this today are so high level that they’re ultimately ineffective outside of security teams (e.g. risk registers). However, we’re starting to see the communication of security transform. For example, infrastructure and operations teams get the visibility of cloud environments and triaging of vulnerabilities with cloud security posture management (CSPM) tools like CloudQuery and Wiz. Cybersecurity leadership, company executives, and boards get metrics on the business outcome of their security program with cybersecurity performance management solutions like SeeMetrics. Developers get continuous quality and security issues in their development flow after each pull request with solutions like r2c and Snyk. Your wider employee base can get timely advice about patching and locking down their user accounts from security awareness companies like Elevate Security and open source tools like Stethoscope.
To align an organization on a common security mission, it’s critical to show stakeholders the real, continuous data relevant to them. This can be thought of as “security dashboards for everybody else” - aka up-to-date metrics or guidance that product and business teams can use to measure and track their security posture and drive decision making.
But doing this right is tricky given how faulty and overly complex metrics can immediately lose stakeholder trust. Here are some ideas on how to redefine security dashboards to be most effective:
Security doesn’t need to be invisible. In fact, it should be front and center. Accountability and understanding individual actions on security debt goes a long way. Going forward, I can even see this translating into premium features provided by the infrastructure, developer, analytics, and productivity tools themselves. This could give way to the next generation security company with baked in vs. bolt on features for easier adoption.
In this age of growing cybersecurity risk, security hygiene is a growing realization for decision makers across startups and enterprises of all sizes. As the responsibility trickles down from CISOs and security teams to individuals across the entire organization, everyone needs to play a part. Until security dashboards for all become widespread in the enterprise, remember, we’re all in this together!
If you’re a startup building a security solution for the enterprise or a security practitioner in the enterprise looking to chat through these topics, please reach out!