Organizations are under pressure to use cloud services and modernize their software development practices, but these raise new challenges for security leaders. Enterprise Strategy Group research on cloud-native applications showed that, while cloud-native apps bring the benefits of increased efficiency and speed of deployment, security and compliance top the list of challenges.
Security leaders must effectively manage security risk as development scales. But how can they measure the effectiveness of their programs and successfully support digital transformation? I interviewed experienced CISO Rich Seiersen, chief risk officer at cyber insurance company Resilience and author of How to Measure Anything in Cybersecurity and The Metrics Manifesto, about the challenges of cloud-native security and how to use metrics to build and improve security programs. Below are highlights from our discussion. Be sure to watch the video below for more.
The challenges of scale
As CISO of Twilio during 2016-17, Seiersen thought the security industry wasn’t ready for the volume of releases enabled by cloud-native development with continuous integration and continuous delivery pipelines. Twilio was at the leading edge at the time, with 30,000 releases per year. Security testing products used traditionally for software applications, including static application security testing (SAST) and dynamic application security testing (DAST), were too disruptive to use with cloud-native development, he said.
“It would have slowed things down,” Seiersen said. “SAST, DAST, the amount of false positives — that’s all drag. But how do you maintain value, throughput and [release] features while reducing the likelihood of an exploit that could lead to any sort of breach?”
Rethinking the role of security
I’ve written about and released research on shift-left security, where we move some security responsibilities to developers so security is no longer a bottleneck that holds up the rapid pace of development. Seiersen has a great analogy for this: Security needs to function as the pit crew enabling racecar drivers — the developers — to speed through the security checkpoint quickly.
“There are necessary things that need to happen to make sure the machine can go fast. The mindset of security should be similar to the pit crew: ‘We’re going to do it in such a way that contributes to winning,'” Seiersen said. “I think a lot of security folks actually don’t take the perspective of a pit crew; they take the view of the cop. I think it’s really important in cloud-native development that there’s this whole ethos and mindset shift that needs to happen,” he added.
I agree and, as an analyst, I get excited about products and tools that can help security teams be successful in enabling digital transformation instead of blocking it. This ties into security metrics because CISOs are responsible for managing risk and being able to prove their results.
Cloud-native security metrics that matter
Seiersen has written in-depth about security metrics, but in this interview he shared the following five top objects of measurements, which he calls BOOM — baseline, objectives and optimization measures. These are as follows:
- Burndown rates: the rate at which you are burning down known bugs.
- Time to live: dwell time of known bugs.
- Arrival rate: the rate at which risk materializes.
- Interarrival rate: the average time between instances.
- Escape rate: the rate at which known bugs go into development.
Watch the interview to hear Seiersen break down each measurement and describe how to work them into development cycles.