Here are Five Key Takeaways to Build a Best-in-Breed Security Architecture for Your Enterprise
Written by Fausto Lendeborg, CEO, Secberus.
Secberus was invited to participate in Plug and Play’s (PnP) Partnerships Transforming Healthcare: Healthcare and the Cloud event. Our CEO, Fausto Lendeborg was accompanied by Edmond Mack, VP Security Architecture at GSK as well as Jennifer Thomas, Managing Director of Health at PnP.
Jennifer moderates a lively, informative conversation that focuses on the relationship between the enterprise and the solution provider: how it started and why it’s continued. The common thread in this relationship is cloud governance, and, more specifically, what’s working and what’s not.
We distilled this conversation into five key takeaways centered around how to build a best-in-breed security governance strategy and architecture for your enterprise.
Takeaway One → Enabling digital transformation within your enterprise mandates real-time risk decision-making.
You need to understand risk in real time without blocking digital transformation. The marketplace has no shortage of tools that offer to help you do this. But many fall short because they don’t help the enterprise achieve the business value they are looking to gain. Tools don’t help organizations advance business needs, business solutions do.
The business needs to have the power to make security decisions. Technology should enable this power. The question to ask yourself is, “Can your organization, which is building thousands of applications, detect security risk in real time?” This is no longer a nice-to-have. This is essential. And closely following that question is the ability to operationalize the transfer of risk to the appropriate application owner in order for him or her to account for the risk.
The business value of real-time risk decision-making equals velocity in the cloud coupled with enabling operational security-solving capabilities.
Takeaway Two → Enable the business with security-by-design solutions.
How do you enable the business with security-by-design solutions? You install security-by-design principles:
- Everything needs to be secure. No blind spots. No guesswork.
- Focus on delivering business value.
- Communicate risk using business vocabulary to ensure security is understood in business context.
- Build a security dashboard that provides security risk visibility across the entire security landscape. Eliminate silos.
The modern enterprise is moving extremely fast and needs to keep their edge to compete. As your competitors move to implement faster methodologies and technologies, security needs to keep up. Security needs to enable the business at the speed that business decisions are made.
Takeaway Three → Security needs context in order to empower.
At the moment, we could easily say that any one security job is really three in disguise. It’s incredibly hard to keep throwing people at the problem when our people are already strapped so thin. What all enterprises need is a security posture dashboard that shows the proper context to the appropriate user.
There’s a lot of technology out there in our personal lives that is showing the value of context. Take new cars for example. Newer cars show the speed limit next to your actual speed. This is great context to help the user adjust in real-time. How do we get this type of context into the look and feel of our products so that users (and customers) know they’re operating inside the policies of their environment? If we achieve this, we can put the exceptions and controls in place to meet the needs of the business without causing friction.
Enabling security for the business means allowing the business to make security decisions with complete transparency.
Transparency comes in two layers:
- The first layer is that business mandates policy.
- The second layer is the application owner receives policy violations that are being governed by the business.
This business-first approach allows the leadership team to have the proper risk communication across the organization and allows security violations to be delivered per application, per business unit to the appropriate owner. This approach couples business value and risk perspective.
From a technical perspective, within our cloud environment, you want a single solution that can provide security, compliance and audit reporting in relation to our cloud configuration. Ideally, this gets security out of the conversation. It’s no longer about security teams getting the report and then going and talking to the business. Now the business needs to get the report, the business adjusts the (Jira) dashboard. It’s the business who has the security governance conversation and makes the decisions first.
Going back to the car analogy—think about if cars had no indicator lights. We wouldn’t know something was wrong until it was too late. Now we get the “out of oil” light before we’re out of oil. This is what we’re trying to do with our security governance. “Hey, you have no more windshield wiper fluid.” You (application owner) can solve for that.
But when things are more complex and when we know that, we can allot the right resources to focus on the more complex issues without the little ones getting in the way.
And this has to work at scale. What if you had to monitor one car versus 1000s of cars? As a security leader, you never want to have to say, “No. You cannot go with this release.”
With the type of transparency we are talking about here, we can alert and adjust for the issues that come up pre-release so that the business isn’t surprised by any potential delay or breakdown. Your security solution should allow you to be the security liaison to the business.
In order to implement this approach, you need to create the right amount of automation to communicate to the risk owner. And you need to deliver the risk to that risk owner in real-time.
By doing this, you give your leadership team the knowledge of risk at the application level and the impact of security for that application. In other words, security with context allows your business to move with speed and confidence.
Takeaway Four → Expectations have to be clear, and they have to be met.
At the end of the day, all businesses are marching towards growth in some capacity. Along the way, they encounter all sorts of hurdles. When it comes to implementing security solutions, here’s what you need to keep in mind:
- Address fear and build trust. Do this by delivering value.
- Build transparency into the equation. Let each other know when things change or when there are new needs. Especially if they affect current expectations.
- Don’t focus on the technology, per se. Focus on the relationship. (See key takeaway 3.)
Remember, solution providers are trying to tackle problems in order to help your enterprise.
You have to have real relationships. You have to be able to get past all the pleasantries and get to where the rubber meets the road. The relationship has to be cooperative. We’re talking about implementing some of the most complex technology out there, and it boils down to interpersonal relationships. This is how technology should be addressed within any organization.
Takeaway Five → Build relationships first, sell solutions second.
There’s so much noise in the marketplace. If all your enterprise wants is another tool or product, no problem. Go ahead and choose what you need to your heart’s content. But if you’re looking for a way to elevate how security is viewed within your organization, choose your products wisely.
It boils down to how you and your solution providers help each other. For both parties this includes listening to each other and sharing a common vision.
For the solution provider this means:
- Adjusting your solution to fit the needs of the market and, specifically, the potential users you are talking to now.
- Proving value—both for the business and for future users.
- Stay connected on all levels, not just security. Listen to all the enterprise pains across the board. It’s not only about what you can do from a security standpoint. It’s what security can also do from a business standpoint.
Taking this approach allows the solution provider and the enterprise to evolve together. And it allows the enterprise to bring a collaborative, innovative partner to the business.
Our future world is a cloud-first world. And all businesses are running a speed-to-market race. This inevitably means businesses will be forced to go down the cloud journey road. Knowing this, it’s extremely important for enterprises to get their cloud governance framework right. If you don’t define this, you’ll easily get lost in the flurry of new technology without achieving the value needed.
This is why, ideally, partnerships begin outside of any commercial operation. The beginning is a relationship, the contract comes later.
Hopefully these five takeaways are valuable to you as you think through your cloud governance strategy.
As a helpful exercise, next time you sit down to evaluate a solution, think about taking your security engineers out of the room. Instead bring in the business players and perhaps some of your key customers. This isn’t about taking away the ownership from security, but rather about starting with the end in mind. Afterall, you need to meet business, developer, and customer needs—as their needs drive the core requirements of the business and (hopefully) reduce the risk as these requirements are met.