The evolution of security architecture is becoming a reality based on infrastructural changes, such as multiple clouds and hybrid, as businesses continue to be digital.

As a result, baking security into operations is emerging as the new norm, and this is a trend being emphasized by chief information security officers, according to Merritt Baer (pictured), field chief information security officer of Lacework Inc.

“I think even when you’re working in multi-environment and on-prem, the idea that you have these muscle groups, that security is part of your lifeblood, that you’re regularly doing exercises,” Baer said. “Things like Terraform, CloudFormation, etc., to be templatizing your environments, and you’ve got your security team with arms around these so that you’re generating templatized environments for your R&D teams that look different than your HR teams and you’re really constraining as you push to production.”

Baer spoke with theCUBE industry analyst John Furrier at the Supercloud 3: Security, AI and the Supercloud event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed why security should be at the epicenter of organizations and the role that CISOs play in the realization of this objective.

Weaving security into the development cycles

Even though organizations have on-prem assets for the foreseeable future, a move to the cloud is favored because of scalability advantages. As a result, security should be incorporated into development cycles so that they can be shorter and seamless, Baer pointed out.

“The minute that you spin up an environment in the cloud, you have made some decisions,” she stated. “There are permissions in there; there’s either an internet-facing endpoint or there isn’t … and those are security decisions that you’ve now embedded in the ways that you’re building. I think in the cloud it’s very evident that you have to weave it in.”

Some of the fundamental aspects of security include confidentiality, integrity and availability. Nevertheless, availability is often overlooked despite its importance in the security mechanism needed when defining a successful business strategy, Baer pointed out.

“We security practitioners focus really heavily on the confidentiality and integrity side, making sure things are locked down or encrypted or are validated as being true,” she explained. “But what about availability? It also has to work. You have to build all this stuff and build it securely, but it also has to be something that stays highly available.”

Making bold decisions is of the essence in the security field. As a result, practitioners should not be risk-averse because this limits their capability and hinders innovation, according to Baer.

“I think sometimes security folks are risk-averse and think that not moving is a security strategy,” she stated. “I would encourage folks to reframe that, because not moving means that you have also lost out on some possible gains. I think we’re going to see those threads continue, and I hope to be a force for good in that momentum and bring back customer feedback to our roadmap too.”

What’s on the mind of the CISO?

Security should be woven into business undertakings because it shouldn’t be seen as a hamstring. This explains why understanding the best approach in the security life cycle is top of mind for CISOs, Baer pointed out.

“I think the goal for CISOs is to prioritize the issues they have, be able to make meaningful change … be able to make security part of what they’re delivering these days,” she stated. “Having tooling and capabilities that allow you to build better and do security at scale, that’s actually the enabler that we’ve been excited about. The CISOs are thinking, ‘How do I do this in a controlled and responsible and secure manner.’”

Since security should be part of the core business delivery, it ought to be embedded in operations. As a result, the security culture that works for CISOs and other security practitioners involves doing it, according to Baer.

“One of the primary questions that I get from CISOs or other executives is, ‘How do I build a culture of security?’” he asked. “The answer is, by doing it, your culture will reflect what your actual priorities are. My personal prescription would be that the CISO should report to the CEO, for example, so that they cannot be benched. When it gets inconvenient to prioritize security, they should have a seat at the table.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Supercloud 3: Security, AI and the Supercloud event:

Photo: SiliconANGLE