AWS CTO Calls for Restructuring of Cybersecurity Operations
At an AWS Summit this week, CTO Werner Vogels of AWS told conference attendees that the time for separate cybersecurity teams is now at an end.
Vogels says technologists from across the IT spectrum need to now assume responsibility for cybersecurity. In fact, the number of breaches that have occurred to date are nothing less than an embarrassment to the whole IT community.
Starting with securing the application development process itself, Vogels says development, operations, and cybersecurity teams need to be unified around a common set of DevSecOps processes. Cybersecurity is now everyone’s job, adds Vogels.
As part of the process, Vogels called for fundamental change to the world cybersecurity and reiterated his call to encrypt every line of code and artifact being developed and deployed.
"The number of breaches that have occurred to date are nothing less than an embarrassment to the whole IT community."
While there’s obviously plenty of room for improvement when it comes to cybersecurity, determining the right level of convergence across application development and cybersecurity teams is not as easy as it might sound. For example, asking cybersecurity professionals to participate at every turn of scrum process isn’t likely to be feasible. There simply are not enough cybersecurity professionals available to participate at every step of the application development process. Cybersecurity professionals might one day trust developers to implement cybersecurity controls, but they will still need to verify those controls have been implemented and that all the components that make up an application have addressed all known vulnerabilities.
Those processes will also need to be extended across multiple clouds. Rather than having to set up and manage DevSecOps processes for each individual cloud, organizations are clearly going to want to be able to centrally manage DevSecOps process across multiple cloud computing environments
In the meantime, however, organizations are still struggling to master the best cloud cybersecurity processes. Cloud service providers are more than capable of providing a more secure computing platform. Each individual organization is still required to secure the software that runs on top of that infrastructure. That shared responsibility approach to cybersecurity requires organizations to focus their efforts primarily on application security.
The truth is that when most organizations say they are still concerned about cloud security it’s not necessarily about the platforms as much as it is a lack of visibility and workflows processes for securing the applications running on those platforms.
Going forward it’s apparent there is a need to restructure how IT and cybersecurity teams are organized. Each organization, however, is likely to come up with slightly different approaches based on how cybersecurity aware their developers are and how many cybersecurity professionals they gave on staff. Those processes may even vary from project to project.
Rather than resist that change, cybersecurity professionals should become an advocate for change. The more responsibility for cybersecurity the rest of the IT organizations assumes the simpler and less nerve-wracking the job of the cybersecurity professional will become. Instead of constantly trying to put out the next proverbial fire, cybersecurity teams should have more time to both plan and hunt for malware before its activated. After all, when all things are considered the most precious cybersecurity of all is the time any organization can buy between now and the next major cybersecurity crisis.