May 26, 2020

Speed vs. Security: Are They Mutually Exclusive in IT?

Security & Compliance
Infrastructure Automation

By

Here’s a situation that is likely familiar to you if you work in enterprise IT. The need for strong security practices is more pressing than ever, with known vulnerabilities growing exponentially, and nearly half of companies having experienced a data breach from 2018 to 2020. At the same time, organizations face demands to deploy software faster, and more frequently.

IT executives consistently identify cybersecurity and speed among their top priorities. Both have major implications for the business and put increased pressure on IT teams. Unfortunately, these objectives seem to be at odds. How can you move both faster and more securely?

Table of Contents

 

What's the Difference Between Speed vs. Security?

The main difference between speed and security in IT are which takes priority. It is challenging to achieve both speed and security.

 

The Security Problem

The current state of cybersecurity offers much to worry about. Security breaches continue to become more frequent and more expensive. In a 2019 study on the state of vulnerability response, Ponemon Institute reported a 17% increase in the volume of cyberattacks over the previous 12 months, with organizations spending an average of $1.4 million each year on vulnerability management.

Hackers have grown increasingly sophisticated, benefitting from advances in machine learning and artificial intelligence. And the unfortunate reality is that they have an advantage — even one unremediated vulnerability leaves your organization exposed. The larger and more complex your infrastructure, the broader the attack surface, and the harder it is to protect.

The Need for Speed...

Accelerating time to market and responding quickly to customers’ needs are mission-critical for just about every organization. This has implications for all areas of the business, but perhaps none more than the IT team. A 2019 McKinsey report underscores this point, noting that “Digital innovation has become central to the full range of business transformation initiatives.” CIOs and CTOs are on the hook to modernize infrastructure and deliver increased agility.

... and the Security Speed Bump

One of the greatest perceived barriers to achieving this much-sought-after agility? You (probably) guessed it: security. McKinsey’s research shows that “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.” Accelerating development and delivery leaves less time for code review, which often translates to poor security outcomes.

How to Bridge Speed and Security in IT

While there are some clear incompatibilities between speed and security, they are not, in fact, mutually exclusive; they can actually be complementary.

As Puppet’s 2019 State of DevOps Report shows, organizations at the highest stages of DevOps evolution also have the greatest confidence in their security posture. This is not a coincidence; the principles and practices that drive good outcomes for software development — culture, automation, measurement, and sharing — also lead to good security outcomes.

The companies that have seen success in both areas tend to adopt a few common practices:

Involve Security Teams Early and Often

This is not a new idea, but without it, there is little hope of achieving both speed and security. When development, operations, and security collaborate throughout the software delivery lifecycle, all parties benefit.

Leaving security review until the final stages of design and development often results in delays and costly fixes. A study by IBM System Science Institute found that it costs 6 times more to fix a bug found during implementation than to fix one identified during design; 15 times more if it’s identified in testing; and 100 times more during regular maintenance once the code is in production.

Development, operations, and security teams should collaborate on threat-modeling exercises, evaluating infrastructure from the perspective of a hacker. Understanding which assets would be the greatest targets, and identifying weaknesses and potential access points, helps build a solid line of defense.

Know Your Network

Proactive security requires, of course, an awareness of the vulnerabilities that pose a risk to your infrastructure; but without a full picture of your network, a list of vulnerabilities won’t do much good. You can’t protect a machine that you don’t know exists.

Automate Vulnerability Management

A degree of automation is essential in any modern IT organization, but many companies still depend on manual processes for key security measures. Manual work is particularly problematic when it comes to vulnerability remediation.

The majority of breaches are a result of known vulnerabilities that have not been addressed. In many cases, failing to remediate them isn’t for lack of trying — a 2019 survey by Ponemon and ServiceNow found that companies spend an average of 443 hours per week managing vulnerability response.

And yet, as the number of vulnerabilities and the means of exploiting them grow, it’s virtually impossible to manually prioritize and remediate in a timely fashion.

This problem is compounded by manual data transfer between security and IT Ops teams. Typically, security uses a scanning tool to identify vulnerabilities, then exports a list and emails it to IT Ops. This static data is only updated when another scan is performed and another list is handed over. In the meantime, the operations team is left in the dark.

Accelerating software delivery has obvious (and potentially negative) implications for your security practice, but it is possible to find a middle ground. Inevitably, there is some upfront work required to shift entrenched team dynamics and incorporate new tooling, but the end result is well worth the investment.

IMPROVE INFRASTRUCTURE SECURITY

Learn More

Simone Van Cleve

Simone Van Cleve

Senior Marketing Programs Manager, Puppet by Perforce

Simone is a senior marketing programs manager at Puppet.