IT Trends from a Security Point of View
The SolarWinds IT Trends Report 2022 showed us complexity is the biggest challenge in IT overall. It’s so severe we could even call it a real problem, not just a challenge.
Most responses point toward implementing new tools and technologies when looking for the reasons at the root of the cause, followed by acknowledging outdated staff skills which no longer align with new tech.
But what does it mean for IT Security?
The lack of visibility is the least common denominator between IT Sec and “normal” IT.
If you can’t spot a technical problem early, it will hit the user experience, resulting in consequences. If you can’t spot a risk early, it will likely be exploited.
And in fact, an increase in complexity frequently goes hand in hand with limited visibility.
If the business requires new technology to be deployed, and the workforce doesn’t have enough expertise, problems of all kinds are foredoomed.
From a security point of view, there may be gaps in understanding how to secure connectivity between new tech and legacy infrastructure. And there may be a lack of direction for how to secure specific elements unique to our environment and to keep things up to date.
Another possible pitfall with new technology is the vendor might be in a learning process, and zero days are all over the place as it hasn’t been tested enough. Unfortunately, this is an all to real reality. Sometimes it can be worse; maybe a single vendor drives a new solution. They might not yet have the budget to secure their environment or bring security into the design process. Quite often, it’s merely an afterthought.
In a perfect world, the business will allow a generous timeframe to evaluate and test a new solution or technology before it’s deployed in production and to enable risk mitigation right from the start.
In the real world, there’s pressure.
When planning a new deployment, there’s an overall budget for acquiring it, testing, deploying, and, if foreseeable, operative costs. Unfortunately, many projects run over their projected budget. Budget problems aren’t unique to IT; look at the airport in Berlin, but let’s continue our focus on IT security.
The intention to stay within a given project timeframe or budget often calls for compromises with security. Sometimes a few additional days might be enough for a more thorough test, but depending on the project size, the extra time needed varies greatly.
Our report shows small businesses, in particular, are struggling with this.
They can’t afford the expertise to correctly and securely implement new tech, which leads to oversights. Let’s face it; no one wants another S3 bucket nightmare. But to satisfy the needs of the business, things get deployed anyway, and IT pros develop a mindset of “I’m glad it’s working somehow. I will make it more secure in the future.”
Complacency and the “good enough” mindset is the infamous recipe for disaster, and it’s the number one reason mentioned by the surveyed IT Pros: Time constraints.
Put the finger where it hurts.
Besides the lack of time, the IT Trends Report shows the lack of expertise is causing trouble.
There’s an easy way to fix this; it’s to provide training. Quite obviously, the security team, or, in smaller environments, the Security Professional, needs different training than the Ops team.
In security, we need to know precisely what functions a tool is calling, what 3rd party integrations are embedded, and how it interacts with the existing environment.
The way we deploy and run applications meanwhile - decentralized, no longer in the three-tier model - does add more complexity to the mix. It’s next to impossible to assess all the variables in such a construct, and it gets overwhelming quickly.
There’s another thing we discovered in the Report: the siloed organization of many IT departments. Of course, you need experts in their fields, as you can’t expect a single individual to have an in-depth understanding of all topics. But teamwork within the department shows much room for improvement and, more importantly, cybersecurity.
It should be everyone’s task to think of security concerns in their daily routine, which involves network engineers, cloud architects, and application owners. End users should also be mindful of security concerns.
Everybody is part of the extended security team.
The department must understand that the Security Pro is in the same collective boat.
Working together helps remove the complexity, which automatically lowers security risks, amongst other advantages. Communication is critical, beginning from the early stages of deploying the new tech.
On an interesting side note, all teams can share some of their tools to increase overall efficiency. A modern observability system allows the security team to understand data flow and interaction between systems and applications. That’s hugely beneficial as such information isn’t available in a SIEM, but it’s increasing visibility and removing the guesswork.
Visibility in times of increasing complexity is crucial. Business leaders need to understand the role security plays a vital role in each new project and better involve subject matter experts from the early stages.
Let’s not forget to treat every new solution, technology, or vendor deployed as a potential risk factor.