Do you save a seat at the digital transformation table for your CISO? You should.
Several trends are driving infrastructure underground. Mainstream adoption of automation and infrastructure as code approaches to managing the foundation for applications have obfuscated the importance of the myriad network and application technologies required to deliver and secure applications.
Developers don’t want to be bothered with the nuts and bolts of infrastructure, particularly as it relates to networking. Cloud computing has long sought to remove the need to deal with infrastructure, laying on APIs and drag-and-drop configuration tools to help the network and infrastructure-averse avoid getting their hands dirty. Kubernetes, created by developers for developers, craftily kicks networking and infrastructure to the curb by hiding it beneath a layer of configuration and orchestration magic.
But that doesn’t mean we should ignore the existence of infrastructure or its profile as a key attack target.
To wit, three of the top ten vulnerabilities tracked by IBM X-Force in 2020 were infrastructure-related vulnerabilities.
I’ll wait while you digest that.
Filling out the top ten were application platform and framework vulnerabilities, as you’d no doubt expect. But three of them—including the top exploited vulnerability—targeted infrastructure.
For as long as there is a need for infrastructure—and that means the foreseeable future—there will exist a need to protect it. Infrastructure is the first point of contact in most architectures, with firewalls and DNS and load balancers taking the lead. These are critical infrastructure that can, when attacked, bring down the entire digital presence of an organization. Indeed, Cisco’s Annual Internet Report notes, “Infrastructure outages also continue to be a threat with over half of operators experiencing this issue.”
The relationship between infrastructure and business remains lukewarm. To be fair, business leaders place an almost equal importance on protecting infrastructure as they do the business and applications. Which is to say they are lukewarm about protecting, well, everything.
We chose these categories with a very specific reason in mind: together they form the digital business "stack." Digital business relies on applications, and applications rely on infrastructure. The three are inseparable in today's default-digital world, and yet they are obviously viewed as distinct things to be protected—or not—based on our perceptions of their importance by role in the organization.
The disconnect we see evident in the importance placed on protecting key attack targets indicates that most organizations are still maturing in their digital transformation journey. Business and IT need to come together as equal partners to efficiently operate and protect digital business. That means IT needs to view protecting the business as important as infrastructure—and vice versa.
While the digital transformation journey was certainly accelerated by COVID-19 and a rush to "go digital," maturity of practice and perceptions will take time to catch up. Today, PWC reports that as a result of COVID-19, over half of businesses are "more likely now to consider cybersecurity in every business decision—that’s up from 25% in our survey last year."
That’s a good start.
One of the ways forward for organizations who haven't yet adopted this practice is to look at who is sitting at the digital transformation table. While we often talk in terms of the CIO needing a dedicated seat, we are less likely to mention the criticality of inviting the CISO to the table.
The role of the CISO has shifted over time, sometimes abruptly. At its core, the role requires a focus on security. As business has embraced digital as default, that role has expanded to a more strategic one, a role that is as much about operating securely as it is about operating at speed. That means CISOs need to be involved in digital transformation from the beginning with the goal of putting place the policies and guardrails necessary for the organization to protect customer and corporate data while enabling acceleration of digital business.
If your CISO is not already a part of the digital transformation conversation, they need to be. Infrastructure is still a critical component of digital business, and it's still an attractive attack vector—and protecting infrastructure is still a responsibility of the CISO.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.