Cloud Security

Security survives the budget ax

Security survives the budget ax
Written by ga_dahmani
Security survives the budget ax

The good news is that, recession or not, security remains a somewhat insurmountable expense for CIOs, according to new data from Morgan Stanley Research. The bad news is that none of that will work if those same CIOs don’t patch their software. AWS Vice President Matt Wilson is absolutely right when he argument“It is the responsibility of the consumer of software deployed on security- or reliability-critical systems to securely patch it (among other things), or retain the services necessary for it to be maintained for them.”

However, it is also true that unpatched software, open source or otherwise, remains the largest attack vector for hackers. This is perhaps a bigger problem for open source, not because it’s not inherently secure (the opposite is closer to the truth), but because it’s so widely used. As such, we can continue to pour money into open source security, but if companies don’t bother to patch the software they depend on, how much will it help?

More money, less problems?

First, the good news: CIOs, once reactive in prioritizing security spending, are now becoming proactive. By Gartner estimateCompanies spent more than $150 billion on security products in 2021. That’s a lot of money, and it doesn’t look like it’s going to slow down in 2022 or beyond. When asked which IT projects they were most or least likely to fund if the economy hits a downturn, CIOs placed security at the top of the list for both immunity to cutbacks (ahead of everything else, including digital transformation, a strong second place) such as spending growth, right behind cloud computing. This marks real progress, as security used to be something companies only said they cared about after a breach.

Where are companies spending? By some reports, funds are being channeled into identity and access management, messaging security, and network security, among other things. The money will go toward managed security services, according to IDC, in addition to automated application testing and more.

Automation seems wise. Microservices and other IT trends have significantly complicated enterprise security, even as they have provided a host of benefits, such as I wrote in 2020: “In a world where developers build and everyone else is tasked with cleaning, security will always be a struggle, whether we’re talking about microservices or monolithic applications.” Automation can help reduce the chance that developers or operations people will miss the necessary tests and patches for a given piece of software.

This becomes even more critical as companies use ever-increasing levels of open source software. without necessarily building processes to patch and maintain it. Open source software arguably offers better process to secure software, but if it’s not patched, it can be just as bad as any unpatched proprietary software. So when you see fake headlines like “Open source code is insecure and risky due to its unbridled use, says a report”, it is worth remembering that of Steven J. Vaughn-Nichols. counterargument: “It is not the use [of open source that creates security risks]it is the irresponsible use that is the problem”.

People are part of the security process

We may be heading toward a more fundamental concern. What Ivanti’s Chris Goettl Postures, “Security threat actors will always move faster in creating security vulnerabilities than most of the companies they target.” How much faster? well according to RAND ResearchAlthough it takes only 22 days for a security threat actor to capitalize on a known threat, that threat can remain unpatched for approximately seven years. This may be because unmaintained code is still used (pretty common), or simply because the company does not fix a publicly known vulnerability.

With all of our newfound interest in funding security software, it makes me wonder if we shouldn’t be spending more money developing security software. mindset. A company’s security posture is only as good as the people who run it. The Open Software Security Foundation is right to put security education first in your area list that needs to be addressed to improve open source security, though the same principles apply to much of any software.

Recently, some big companies made big bets on open source security, committing $150 million to help protect key open source infrastructure. It is a great initiative but I think it does not go far enough. Security is always about people and processes, both of which can be helped with automation, but unless the people charged with protecting your enterprise software are trained on how to think about security open source or otherwise, no amount of cash is going to buy us. security.

Indeed, as Alissa Irei writes, there needs to be training and agreement across the enterprise on which systems should be prioritized for maintaining security. In Irei’s article, Doug Cahill, senior analyst at Enterprise Strategy Group, notes that “there’s just an avalanche of patches. The larger and more heterogeneous the organization, the less practical it is for all systems to be up-to-date at all times.” Given the flood of systems that need patching, savvy businesses will step back, evaluate, and prioritize software that supports the most critical applications.

It may also be the case that a patch creates more problems than it solves by breaking compatibility and shutting down client-facing applications. But in these areas, as always, the key is to train people and build processes. This is a long way of saying that before you start bragging about spending a lot on security, make sure you spend it in the right areas. To see how you’re doing, check your answers to these nine cloud security questions.

Copyright © 2022 IDG Communications, Inc.

About the author


Leave a Comment