Why Complexity Isn’t the Enemy of Security
Five ways you can stop worrying and embrace complexity.
Our new work-from-home culture has created massive complexity for today’s organizations.
Consider the billions of devices — laptops, tablets, PCs, printers, scanners — that workers hastily took home at the start of the pandemic to perform their tasks, or that overworked IT teams, scrambling to adjust, later mailed to them. The challenge of managing and securing these endpoints are myriad. Most are no longer confined to an organization’s network, but scattered across unrestricted, commercially available broadband and Wi-Fi connections.
To get an idea of this sprawling network, take a look at the annual Cybersecurity Workforce Study by (ISC)2, an association for cybersecurity professionals. In a global survey of 3,790 security practitioners, 30% of respondents said their organization shifted to a remote workforce model in a single day, while another 47% had the relative luxury of taking a week. As the report notes, that sudden shift “put an unprecedented strain on cybersecurity professionals to move and secure remote environments.”
Conventional wisdom among CISOs like me is that this expanding network complexity presents costly and time-consuming challenges to endpoint management and security. In my role at Tanium, I hear this all the time. I’m responsible for helping other security and IT executives address cyber risks, manage IT operations and improve business resilience. I’m also responsible for protecting Tanium systems and data.
What I’ve learned is that complexity doesn’t have to be oppositional to keeping an organization secure. In fact, I think there’s a misappropriation of the term “complexity” itself. Most of the time, when people talk about complexity, what they really mean is business and technological diversity. They mean a combination of diverse business needs and use cases, as well as the technology infrastructure and applications required to support them, including hybrid and multi-cloud deployments, SaaS and custom apps, as well as an expanding universe of devices to access those resources. An organization can use diversity in its favor, making it easier to deliver more applications to move devices in more places. Business and technology only truly become complex when IT lacks visibility and control over them.
Nomenclature aside, here are five ways for any organization to embrace and win at complexity.
Break the hub-and-spoke model
For decades, IT teams have based network security management on the hub-and-spoke model. They deployed security capabilities into a data center; everyone in an office connected to it. That model has been thrown on its head. In a world of working remotely, there are too many choke points back into those environments.
Let’s say you’re a large financial services company that has 32,000 workers trying to link to network applications in your data centers over legacy VPN connectivity. That same connectivity is being used for security services. That creates a choke point for corporate networks. A lot of companies end up making security concessions because they need to keep line-of-business applications functioning.
The first thing we need to do is remove the reliance on potential choke points. If everyone’s working from home, using a cable or DSL line, putting your security at the network layer isn’t going to cut it. With a distributed workforce, that network layer becomes obsolete. That means you need security at the endpoint. And it’s important you have security of your services, be they SaaS or IaaS, in the cloud.
Locate every endpoint
You can’t manage and safeguard what you can’t see. For example, I work with a lot of CISOs and CIOs who use one solution for asset management, one for vulnerability management and one for patch management. Using multiple systems to manage and secure devices leaves visibility gaps. These tools all act in different ways. Some will work on Windows. Some will work on Linux. Some will work on Mac. Having that fragmentation of tools makes it incredibly difficult to properly assess your exposure.
You can’t manage and safeguard what you can’t see.
I know CISOs who say, “Hey, for the last quarter we managed to achieve 97% deployment of critical patches. That’s a company record.” Everyone is applauding and high-fiving. But then that same CISO only has that patching agent deployed in up to 75% of her technology. She can’t see the rest, so that’s not getting patched. So you get these really warped metrics.
The lack of visibility is heightened in a time of distributed working. But if you have a management plane, a single dashboard to identify and access your endpoints, you gain visibility and control.
Embrace zero trust
Bringing security closer to the endpoint — and away from the data center — is key to safeguarding today’s distributed business and business continuity. Workers are using devices that don’t allow the CISO and security team to report on their security hygiene, including things like patch status. In that sense, the attack surface has just exploded in size.
This is where zero trust comes in. The concept is simple. In order to defend an organization’s computer network from intrusion, all devices and users, even ones previously known to the system, are treated as a potential threat and must be authenticated before being granted network access. The zero trust model has been around for two decades. But most security teams never really got around to enforcing it. The pandemic, and the explosion of remote endpoints being used across unsecured Wi-Fi, now demands it.
As a CISO, I’m not there to tell people they can’t do things. But that’s traditionally been viewed as security’s role, which is anathema to today’s fail-fast, iterate-fast agile software development practices.
One way to fix that is to adopt what’s called shift left software testing. That means you test much earlier (left) in the development cycle, embedding security fixes as developers are writing and releasing code. By codifying security controls early, you’re reducing complexity as you put things into production. This ensures the security team is nimble enough to adapt security requirements to changing business requirements — an inevitable consequence of any agile-based development project. The security function should have a light touch, providing crucial consultative advice almost instantly.
Focus on the business, not just the tech
Complexity isn’t just technical. One of the major challenges that organizations are struggling with right now, in a time of pandemic, is understanding their own business continuity. How do your services work, your line of business services, your security services, your IT services and your supply chain? Determining that is within the purview of the CISO and CIO, and within endpoint management.
Back in March when everyone started working remotely, I received an absolute sea of requests from customers asking about Tanium’s own business continuity. They wanted to know: How were we going to continue to support our customer base and partners with everyone at home? Some customers sent us surveys with 150 questions about our methods. In other cases, I just jumped on the phone with somebody in governance and explained how we approach things, giving them a copy of our attestations to various compliance frameworks to prove to them our application software was intact and trustworthy.
What this tells you is that business continuity planning must fit an organization’s processes and people. It’s similar to a company’s approach to cybersecurity. Ultimately, you need to trust your supply chain, but how you validate that trust is subjective and needs to fit both your company’s culture and its resources.
So that’s why handling complexity isn’t just technical. Complexity comes from supply chains. It’s about identifying upstream and downstream risk. It’s about knowing what dependencies you’ve got not only in technology, but also in people and in the way people are carrying out their jobs as well.
Complexity is the way contemporary businesses operate. Embracing it sets you up to support your employees no matter what happens next. Managing a distributed business is complex, but it’s also an opportunity to win. And as Mike Tyson said, “Everyone has a plan until they get punched in the mouth.”
Chris Hodson is CISO at Tanium.