Today’s columnist, Mandy Andress of Elastic, writes about how open security fosters transparency where security teams get to learn about potential code flaws right from the start. (Credit: Stock Photo, Getty Images)
When it comes to openness in technology, people first think of open source software. But IT professionals can (and should) explore another avenue of openness: open security.
Open security may sound like an oxymoron for many in the cybersecurity field. After all, many security vendors today employ secrecy to guard their threat detection and response methods. But the consequence of this secrecy has created a dangerous monoculture in security, characterized by a general lack of transparency, black-box products, and poor integrations. The prioritization of vendor competition over collaboration to safeguard users further supports the asymmetric advantage held by attackers and ensures one breach can take down an entire ecosystem.
Closed security, while good in the short-term for vendors, has not been good for users, customers, or organizations seeking better security.
As a CISO with more than two decades of experience leading tech and financial service organizations, I believe that open security—offering open detection rules, open artifacts, and open code—holds significant promise in making for transparent, interoperable, and accessible cybersecurity for all companies.
Open Security ≄ Open Source
Think of open security as a philosophy, methodology, and way of doing business that shifts the dynamic of a security company’s relationship with its users toward transparency. Open security encourages community engagement to further strengthen the security posture of vendors, their customers, and users.
By developing security in the open, vendors let security practitioners see the underlying code of a product and run tests before implementing it in their environment.
Open security also offers practitioners a better understanding of how threat detections work and how security technology operates within a given environment, allowing organizations to simplify their cybersecurity processes.
Most important, it helps information security professionals identify potential blind spots or known gaps in a product’s code, and that’s especially crucial given that no single security solution can protect against every known and unknown cyber threat.
Instead of spending time and resources verifying a chosen security vendor’s protection claims, open security lets companies focus on addressing gaps in their security technology stack and developing risk profiles for new and emerging threats. Similar to open source collaboration, security teams can leverage the cybersecurity community to identify security gaps faster than any security operations center can on its own.
In reality, security professionals have been playing defense with limited information thus far. When companies employ open security to look at their defense-in-depth, it offers a deeper understanding of how their organizations are protected.
Expand the talent pool with open security
The same information silos that lead to thousands of data breaches every year also contribute to the ever-widening cyber skills gap. By making security closed and proprietary, security vendors increase the barrier to entry for new security professionals.
As any security practitioner will admit—it’s hard to break into the industry absent the ability to tinker with the tools to understand how they work. Security has wrapped itself in a dark-arts culture that reduces the diversity of its talent pool, deters new entrants, and encourages tolerance for complex and hard-to-use tools.
While many security practitioners get their start in the public sector, there are not enough of these hyper-skilled defenders to fill the ranks of organizations facing increasingly frequent and sophisticated attacks.
Developing security in the open lowers the barrier to entry for new cybersecurity professionals by making security accessible to a wider range of people. It encourages them to seize the opportunity to learn by letting them study the technology on a deeper level than what’s available in the current market.
Cyber maturity requires transparency
While open security may sound radical, relying on “security through obscurity” as the primary form of protection against cyber threats does not work as an effective strategy for long-term success. The cybersecurity industry has transformed significantly in the past decade; now, it’s time for the next phase of growth, and an open security model unlocks new opportunities to educate and empower users.
Ultimately, customer demand will determine whether vendors adopt open security. Today, security providers may not want to open the black box of security because they know too many bypasses and questionable coding choices exist because of balancing performance and security or developing in a closed environment with minimal accountability. Open security can help right that wrong. And if customers demand that transparency, security providers will oblige.
By adopting an open approach to security, providers can invest the time to improve their products and practices while encouraging a new and diverse talent pool to join their ranks. Doing so can strengthen the security industry and better equip organizations to tackle tomorrow’s threats.
Mandy Andress, chief information security officer, Elastic
ManageEngine has a huge installed base with some 280,000 installations in 190 countries, so security researchers considered the vulnerability a serious event.
Developers need to build security into code from the very beginning. But over-reliance on application testing can result in fruitless races to find all vulnerabilities, including many distracting false positives. Instead, developers must be trained to espouse a consistent security mindset and to designate “security champions” on their own teams who can help them better build secure code.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.