ESG's Doug Cahill and Jon Oltsik discuss communication between security teams, Dev Ops, and outside vendors.
Watch the related ESG Security Talk video(s):
- Security Talk - Increased Automation and Serverless Functions, and Top Themes for RSA 2020
- Security Talk - ESG Research on Cloud Driven Identity and Access Management
Jon: Welcome to the Car Talk of Security Talk. And I'm Jon Oltsik. I'm here with my colleague, Doug Cahill. Hello, Doug.
Doug: Hello, Jon.
Jon: All right. What do we got to talk about? RSA.
Doug: More RSA.
Jon: RSA. I know.
Doug: Yeah. So, we left off talking about the 10 top speaking abstract themes that the RSA conference community shared. And we noted this role human element so we covered sort of two of them, talked about human element and professional workforce development. Another one on the list was communication.
Jon: Okay. What are you thoughts on communication?
Doug: You know, it's sort of the soft skills around against secure DevOps and it's how the security team gets more involved and how modern applications are developed and delivered and sort of not crash the DevOps party, you know? Unfortunately, the security team isn't always involved. It certainly isn't involved enough. And so, to get involved really takes sort of an understanding about software development, DevOps processes, and the fact that that team is charted with going really fast and getting more applications into production.
So, there's a lot of communication skills involved for a cyber security pro to get involved with the DevOps team.
Jon: Yeah. The security team is kind of that awkward guest at your party that everyone knows but no one wants to talk to. Right. But we're starting to get over that where security team is more involved with the executives on risk management and mitigation. And from my perspective, security teams are and have to be more involved with IT ops because, you know, security team finds the problems but then throws the ball over the fence to IT ops and says, "You fix this."
And so, we're seeing that. We're seeing better coordination, better communication. And some of the vendors who play on both sides, like ServiceNow and Splunk and IBM and some others, are exploiting the fact that they can talk both those languages.
Doug: Absolutely. Hey, so, that's communicating within an organization. Another one on the list is threat intel and sharing so that's about communicating outside of the organization, in your peer group, perhaps within your industry. Are we seeing some progress there?
Jon: Progress... certainly attention. So, it comes up as a high priority in all of our research. But if you think about it, Doug, I mean, we've got now nation states that we're not at war with but we're in these very delicate situations and those nation states have incredibly advanced cyber security skills.
We've seen attacks in the past from them. And so, people need to pay attention. And there have been documented attacks. We know about the IOCs that they've done. And so, it's really important that people consume this knowledge and build a risk strategy around that.
Unfortunately, those skills aren't really very prevalent. So, while people want more threat intelligence, they want more sharing, they're not always that good at it.
Doug: Yeah. Well, the adversaries are collaborating that still we've got someone to raise the bar there sharing IOCs, IOAs, TTPs that impact different environments.
Jon: Yeah. A lot of acronyms there but absolutely. Yeah. This is a major thing and if we only know... I'll give you a Sun Tzu quote.
Okay? So, Sun Tzu said, "If you know your enemy and you know yourself, you'll be the victor in 100 battles." And it kind of translates to cyber security. If I know myself and I know the enemy, I'm much more prepared.
Doug: Yeah, you bet.
Jon: So Sun Tzu.
Doug: You bet. Well, great. Thanks everybody for joining us for another episode of Car Talk Security Talk. We'll look forward to next time.