Security is Breaking Down… Why Now, and What Can We Do About It? A conversation with Tyler Shields, Principal Analyst at Forrester

Enterprises are having a challenging time securing their data and systems. But it doesn’t have to be that way. We recently reached out to Tyler Shields, principal analyst at Forrester to discuss his presentation at Qualys Security Conference 2015, and what it means to be able to secure enterprises at “cloud scale.” And what it’s going to take for enterprises to succeed in security in the years ahead.

Shields is an expert on mobile and application security. Before joining Forrester, Shields was product owner and manager for mobile solutions at Veracode. Previously, he was a security consultant for the boutique consulting firm @Stake, which was acquired by Symantec in 2006. There, he assessed the security of Fortune 500 customers, financial firms, educational institutions, and segments of the U.S. government.

George: A good place to start this discussion would be how mobile, cloud, and all of the network connectivity surrounding the Internet of Things is changing the enterprise threat posture and how they are securing themselves?

Tyler: Realistically, it’s a completely new paradigm for security right? When you add always on, always connected, high enough data and bandwidth to make that always connected useful. That has to be coupled with the fact that we no longer are keeping data in our own premises. We’re putting all of our enterprise data into the cloud. It completely changes how we have to do security. The only way to truly effectively do security in this new environment is to do it at cloud scale, meaning you have to actually be able to capture security data, analyze that data, and then make decisions on it and enforce your security controls all at cloud scale; because to do it at anything less they’ll never be able to keep up with the pace of the movement of the data.

It’s very different now than a decade ago. You take the IDS model of just looking at some data and looking for anomalous behavior on network traffic inside your environment. That’s not going to do it now. Now the right way to do security is to look at data movement. Look at containers for example, you have to look at metadata underneath your containers to look at application events, and look at log files in real time. The quantity of data is now so immense that it’s unreal.

George: What does it mean for mid and large enterprises to manage security at “cloud scale”?

Tyler: The enterprise has to look at security differently than they ever have in the past. They have to look at security in places that they never had to before. They have to look at security in a operational model instead of the CAPEX model. It’s an OPEX versus CAPEX difference too, because you’re no longer spending CAPEX on the things you own and securing items you own, but you’re actually spending OPEX; operational expenditure around operations resources and the time to secure it. That OPEX spend is going to be so much higher than the CAPEX spend that we’ve seen in the past, both on our products that we use, our services we use and our security of those services.

I think what that means is that the enterprise has to look at things very, very differently. They have to become procurement experts. The CISO needs to understand every service that he buys from a security perspective. That’s so weird when the CISO used to have to care about security in the data center and that was it. It’s just a very different world.

George: This move to continuous integration and continuous development is changing how enterprises handle risk. How do you see this changing how enterprises handle risk in how they secure their internal infrastructure and application development lifecycle?

Tyler: It certainly does. It used to be where your development life cycle could be 18 months long. You had security stage gates that would trigger within that life cycle, such as a design security stage gate, a code review stage gate, a pre-production pen test and then a post production pen test. You used to have these stage gates across 18 months that you could run the tests. Once every 3 months, you’d have a little project you had to run or whatever and it wasn’t that big a deal, but when you’re pushing the production to say 20, 30, 50 times a day, how do you maintain those 4 traditional stage gates in a model where you’re pushing 30 to 50 times a day?

That completely flips itself upside down on its head as well and now it’s less about stage gates and security being the team that sits in the middle and block and stops, and blocks and tackles things. Instead now it’s embedding security right into the developer. Not even the development life cycle, but the developer the person. It’s so the developer can do unit tests in real time that are security-centric unit tests. It’s about actually doing security in real time and then even more so than that, it’s about having the ability to respond in seconds versus days, weeks, months, or years.

George: The first thing that comes to mind is anything that can be automated must be automated if you’re going to survive.

Tyler: That’s the fundamental piece. Everything needs to be automated. There’s two things. Everything needs to be automated, fully automated from a security continuous security review perspective. If you’re not automated, forget it. You’ll never keep up. The other side to that coin is to spend a lot of resources on when you do find a problem, handling it in the quickest, most expeditious way possible.