Cybersecurity is a multi-dimensional problem that never ends. We dance between security risks, available budgets, talent shortages, and tooling. Cloud transformation only increases complexity by adding new technologies, greater developer independence, and organizational and cultural change.
Increasingly, the profession understands that security has under-appreciated the social aspects of security. Despite technical solutions for many security problems being clear, security teams often still fail to get basic security measures implemented that prevent most threats because of resistance from within their organizations. Security is often seen as the ‘Department of No’. A team that gives others more work and throws obstacles in the way of their progress, rather than a ‘Department of Yes, but Securely’ that enables them. Even when we try to be helpful and supportive.
The challenge is that we have hard boundaries we can’t compromise on. We have to manage real security risks in a constantly changing threat landscape. We're under audits and regulatory requirements that we can’t argue with. There are things that we must do, whether we or the organization like it or not, to identify, protect, detect, respond, and recover. The question then is, where must we be strict and where can we be accommodating to concerns and feedback from within our organization.
Often this balance of give-and-take falls into a model of the iron fist in a velvet glove. We convince teams with good arguments and appeals to their conscience and responsibilities to follow the policy requirements. But then we confront them with unrealistic expectations, requirements that appear to come from an ivory tower, far removed from the reality of developer and operations teams. When the organization inevitably rebels, in this model the security team doubles down. They keep its foot down, believing entirely that they're the last barrier to chaos. But it results in a bad user experience for the teams that we claim to support.
Instead, SAP follows what I call here the Durian Model, to illustrate the approach.
Durian, the King of Fruits
Durian is a notorious fruit common in Southeast Asia. Its spiky rind can make it hard to carry by hand and it easily rips through plastic bags. It has a strong smell that some like, but many find nasty. Its soft custard-like flesh is tasty, though.
When applying durian to cybersecurity, the joke about people running the moment their security or compliance officer shows up writes itself. I mean it in a different way: the hard boundary that we can't compromise on is the spiky shell. There are things we as security professionals need our organizations to do. But we must also keep in mind that effective security outcomes depend on the teams we expect to follow your policies. The sweet middle is where we compromise and sweeten the deal.
Debate the Policy, Not the Control
In
this previous blog, I talked about how SAP adopted the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to structure how we manage security risks. It also describes how that translates into specific controls, which feed into the definition of policies and hardening procedures for teams to follow. Our success in adoption of these policies determines the effectiveness of our security measures. Third-party audits at the end of this lineage prove that we're indeed following the policies we set for the organization.
The hard spiky stuff of our cybersecurity framework and the resulting controls we set for ourselves aren’t up for debate. Neither are compliance audits. The former is how we manage security risks and determine what we must do to reduce them. Business decisions and the necessary audit requirements that follow from them determine the latter. The soft squishy middle of policy definition and adoption is where we collaborate between stakeholders to ease the pain.
To give a concrete example: It isn’t up for discussion that we have a vulnerability management process that applies to everybody. Teams must engage in the process or face serious compliance escalations.
How that vulnerability management process is implemented, though, certainly is a dialogue. There's continuous alignment between SAP Global Security, Business Information Security Officers (BISO) and their teams in each of the business units, and the developer, DevOps, and operations teams. Selecting a vulnerability scanning tool, how we distribute scans, how we manage false positives, how we contextualize and prioritize alerts, how we accommodate practical requests, or how we set targets the organization can meet and report to leadership are better done in collaboration and with broad agreement among stakeholders.
Debate the policy, not the control. The yellow chevron pointing left is where the dialogue with the organization feeds back into policy definition. In this dialogue, we balance security risks with the operational burden placed on teams to achieve better security outcomes. That makes policies more practical and achievable, and so also helps with security compliance.
We further support developer and DevOps teams with central services that reduce operational toil. Examples of that are central scanning services, audit log collection, or our curated golden image service of up-to-date base images that are guaranteed-to-be-compliant with policies and hardening procedures.
Effective Cyber Resilience
Following this Durian Model doesn't mean lowering standards. It means working smarter and with greater empathy for the teams that we write our security policies for. A policy that is idealistic, abstract, unverifiable, or impossible to achieve is at best security theater. At worst, it causes audit findings. Either way such policies discourage teams and make them less inclined to work with you. Policies that aren’t followed don't lead to effective security outcomes. Only policies that are adopted by the organization.
When these teams are engaged in the process and see that the collaboration is real and accommodating, we gain their trust. That trust builds the space for situations where we have to take a hard line we can’t compromise on. Even then, we work together to figure out how to achieve the desired outcome efficiently and effectively.
Not everybody likes security as much as we do. We made it our careers, but they didn’t. For developers, DevOps engineers and everybody else, we’re not the main course. But we can turn the spiky, smelly durian into a tasty desert.