Companies are under constant pressure to innovate in today’s fast-paced business environment. That might mean creating a better product, improving efficiency, or creating a better customer experience. Unfortunately, the security function tends to be separate from the innovation process or, worse, after the innovation has created a new vulnerability.
That problem will persist unless companies rethink their organizational structures around IT and security. That’s the message that Rapid7 CEO Corey Thomas is delivering in his keynote today at the company’s United 2017 event in Boston. He believes that IT and security teams can work together effectively to innovate, create a better user experience, and adopt new technology without increasing the vulnerability surface.
Thomas sees security and IT functioning separately in most organizations. “Siloes are killing the organization,” says Thomas in an exclusive interview with CSO. “Breaking down the siloes and engineering automation solutions to solve some of the persistent vulnerabilities is a solvable problem.”
Why is security often an afterthought?
Organizational siloes that keep security at arm’s length don’t work. How many times have we seen these stories play out?
- Company X releases a new, innovative product that meets with some initial success. Later, hackers find a vulnerability that could have been easily addressed during the development process. Company X scrambles to fix the problem and salvage its credibility.
- Company Y rolls out a web application that collects customer data. Weak authentication allows data thieves access to customer information. That’s when the security team learns about the app’s existence.
- Company Z migrates key data to the cloud. IT manages the migration but does not adequately involve security. Key questions go unasked, and as a result, improper configuration leaves the data exposed.
“The prevailing assumption is that you innovate first and add security later,” says Thomas. “People believe that security slows down innovation. They also don’t necessarily know the right security vectors, and there is a small kernel of truth to that.”
Corey Thomas, Rapid7 CEO
Thomas adds that it is assumed that any new technology you create will have some unforeseen vulnerability. He believes the way to address that is build update mechanisms into the technology. “By doing that you improve the long-term security of the technology as well as the user experience.”
“We live in a technology system that is highly fragmented. Security is best addressed if you have a holistic, integrated view of both the environment and the assets,” says Thomas. “Organizational structure that’s dominated by a siloed view of the world and siloed operations creates not only a negative IT user experience, but also a poor security experience. Functional siloes are the primary reason that organizations get complaints from so many of their users about the experience they’ve created, and why you have so much finger pointing.”
Sign up for Computerworld eNewsletters.