Cyber has been called the ultimate team sport: CIOs, CTOs, SysAdmins, Software Developers, CISOs, threat teams, red teams, testing groups, etc. etc, but really should it be? It seems more like a jobs program that moves headcount from one part of the enterprise to the expensive nerdy-side.
Sitting through a number of presentations at various cyber conferences recently I'm struck that many enterprises cyber security planning comes down to having 'the best people' doing really pretty boring jobs. Jobs like keeping software updated, tracking down holes in the firewalls, waiting for alarms to go off, being fed alerts about out-of-date software: in short lots of controlled firefighting. But it all seems like enterprises are just working harder (and expensively) by throwing more people at the problem - instead of finding new ways of doing their business securely.
Programmable meat is expensive, fallible and has to sleep. We need to use technology and change processes to manage the problems that technology can create. Streaming lining software development and deployment, DevOps can help, but needs to go further by automating as much as possible inside the enterprise. As well as perhaps outsourcing large parts of the enterprise that don't add value or aren't core to the business.
So: constrain funding! Figure out how to secure your enterprise with half the staff, because as enterprise software use accelerates (doubles over the next 24 months?) thats the future: double the demand with half the supply (and maybe the North Koreans living inside your network).
Latest posts by John Scott (see all)
- Study: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities - June 3, 2015
- Your Enterprise has too many Cyber-ish People - December 17, 2014
- For Want of a Patch (& a Supply Chain) - December 8, 2014