The document discusses how security approaches need to adapt to new digital disruptors. It argues that traditional security governance is not adequate for fast-paced business models and can inhibit innovation. A new security mindset is needed that focuses on breach acceptance, resiliency, and securing data rather than trust. It also recommends decentralizing security ownership across teams, incorporating security earlier in the software development lifecycle through DevSecOps strategies, and instilling a security culture to drive key business objectives.
Axa Assurance Maroc - Insurer Innovation Award 2024
Security of the future - Adapting Approaches to What We Need
1. Security of the Future
ADAPTING APPROACHES TO WHAT WE NEED
Presented by Leela A. PuttenGame On Disruptors! Conference 2018
IITP SA
2. Agenda
Introduction – Latest Digital disruptors
Security Mindset
IT Security Compliance and Risk
Software Development Lifecycle (SDLC)
Way Forward
Q & A
3. Digital Transformation
Impact on Security
The rate of change in the digital world has
been growing at an exponential rate in
the recent years.
With the rise of Internet of Things, Mobile
Technology, Big Data, Cloud, Artificial
Intelligence and other latest technology
advances such as cryptocurrency, the
following impacts are noticeable in the
cybersecurity world:
• Security scope as well as the complexity of
work are increasing. They introduce skills
constraints.
• Traditional security governance approaches
are not adequate enough for fast paced
and customer centric business models. (
Can inhibit innovation and alienate the
business)
• The digital mindset requires a new way of
implementing security measures which is
more adaptive and context-driven.
4. Digital Transformation
Impact on Security
According to Gartner, it is predicted that in
2020, 60% of enterprises’ IT security budget will
be allocated to rapid detection and
response approaches.
We shall look at these three important areas
in the next slides:
What change in security mindset is required to
embrace the digital transformation?
What change is needed in IT Security
Compliance and Risk practices?
What change is required to have a secure
Software Development Lifecycle?
5. A New Mindset to Security
According to the Breach Level Index,
2017 has seen new trends in data
breach. Security incidents are getting
faster and larger in scope, with an
astounding 87.5 % increase.
Current Mindset: Breach Prevention/
Focus on Outsider Attacks
What we need: Breach Acceptance
Focus on principles of Resiliency and
securing the data not just on Trust.
Focus on threat modelling of potential
security breaches and proactively put
mitigation plans in place.
Source: https://www.breachlevelindex.com/data-breach-mindset
6. A New Mindset to Security
What we Need:
Empower the Developers with tools that will enable
them to secure the code upfront.
People-centric Security. Incorporate security training
and education in the graduate programme and
compulsory compliance trainings in the workplace.
A security mindset should be at a business level not just
IT. Focus should be on value and budgets should be
correctly sized to ensure that security is built-in to
detect and mitigate issues earlier.
7. IT Security Compliance and Risk
Business Continuity through risk minimization and security compliance a key
objective for IT Security Compliance and Risk teams.
The challenge is that current IT Security teams are often viewed as obstacles to
business innovation!
It often results in deviations to security best practices in some workplace, whereby
teams dissociate themselves from the security team and request for waivers from
business.
New Legal Requirements such as the POPI act is an example that securing data
is becoming the top priority for legal, risk and security governance teams.
Current Reality:
Traditional structures are too rigid and alienate business.
It limits scalability in terms of skills and budgets.
There is a trend of simply ‘ticking the box’ when it comes to compliance.
8. IT Security
Compliance and Risk
What we need:
Decentralised ownership of several
elements of security and incorporate
them across the entire value chain
ranging from the PMO team,
Operations Management all the way
up to the CIO.
Quicker process should be managed
at project level whereby risk appetite
is correctly sized before driving
compliance with better
contextualisation.
IT Security Compliance and Risk
should also focus on Prediction,
Respond and Detect over and above
Prevention. Source: Gartner, https://www.gartner.com/
9. Securing the SDLC
The Software Development Lifecycle is constantly
being optimised to speed up delivery, with the latest
movement being DevOps.
Current Reality:
Security often happens towards the end of the lifecycle
and vulnerabilities are fixed in production.
Often only budgeted for high risk projects.
Still perceived in small pockets as an expensive tick box
auditing exercise against outsider attacks.
Source: OWASP, The Testing Guideline,
https://www.owasp.org/index.php/OWASP_Testing_Proj
ect
10. Securing the SDLC
What we need:
Apply Deming’s 14-Point Philosophy
alongside Agile principles to inbuilt quality
and security across the SDLC
Focus on DevSecOps strategies to
incorporate security:
Security as Code ( Secure Test Driven
Development)
Integrate security testing tools in the
build pipeline and automate it to run
for every commit.
Encourage cross-functional
collaboration between planning,
development and operational teams.
Security Patterns should be verified and
validated in the solution architecture at
the design level. Promotes resilient
architectural runway.
Source: https://simpleprogrammer.com/security-code-
secure-devops/
Source: http://www.devsecops.org/presentations/
11. Way Forward
Know your rights in the cyberspace, both as a
consumer and provider. Adopt a more CLIENT
FOCUSED philosophy to drive key business objectives
like faster time to market.
Relook at your current structure’s efficiency and
assess the needs of your business to be more
competitive in the digital space. Aspire to a Secure
LEAN VALUE Chain.
Debunk security by providing more awareness
around its importance and embracing the need to
make everyone a part of the security fabric of your
business. Instil a SECURITY CULTURE.
13. References
OWASP, The Testing Guideline, Available at:
https://www.owasp.org/index.php/OWASP_Testing_Project
The Breach Level Index, Available at : https://www.breachlevelindex.com/
Managing Risk and Security at the Speed of Digital Business, Author: Tom
Scholz, Gartner, 2016.
World Quality Report 2017-2018, Available at:
https://www.capgemini.com/service/world-quality-report-2017-18/
Shifting Security to the Left, A DevSecOps Journey, Author: Shannon Lietz,
2016
DevSecOps, Available at: http://www.devsecops.org
Security as Code: Why a Mental Shift is Necessary for Secure DevOps,
Available at: https://simpleprogrammer.com/security-code-secure-devops/