The good news is that recession or no, security remains a somewhat uncuttable expense for CIOs, according to new data from Morgan Stanley Research. The bad news is that none of it will work if those same CIOs don’t patch their software. AWS Vice President Matt Wilson is absolutely correct when he argues, “It is the responsibility of the consumer of software deployed in security- or reliability-critical systems to safely patch it (among other things), or retain the services necessary to have it maintained for them.”
Yet it’s also true that unpatched software, open source or otherwise, remains the single biggest attack vector for hackers. This is perhaps a bigger problem for open source, not because it’s inherently not secure (the opposite is closer to the truth), but because it’s so widely used. As such, we can continue to throw money at open source security, but if enterprises can’t be bothered to patch the software upon which they depend, how much will it help?
First, the good news: CIOs, once reactive in prioritizing security spending, are now becoming proactive. By Gartner’s estimate, enterprises spent more than $150 billion on security products in 2021. That’s a lot of money, and it doesn’t look like it’s going to decrease in 2022 or beyond. When asked which IT projects they were more or less likely to fund if the economy drops into recession, CIOs put security at the top of the list both for immunity to cuts (ahead of everything else, including digital transformation, a strong second) and for growth in spending, just behind cloud computing. This marks real progress, given that security used to be something enterprises only claimed to care about after being hit with a breach.
Where are enterprises spending? By some reports, funds are being funneled to identity and access management, messaging security, and networking security, among other things. Money is going to managed security services, according to IDC, plus automated application testing, and more.
Automation seems wise. Microservices and other IT trends have significantly complicated enterprise security, even as they’ve delivered a bevy of benefits, as I wrote in 2020: “In a world where developers build and everyone else is tasked with cleaning up after them, security is always going to be a struggle, whether we’re talking about microservices or monolithic applications.” Automation can help reduce the likelihood of developers or operations folks missing the necessary testing and patching for a given piece of software.
This becomes even more critical as enterprises use increasing levels of open source software without necessarily building processes for patching and maintaining it. Open source software arguably delivers a superior process for securing software, but left unpatched, it can be as bad as any unpatched proprietary software. So when you see false headlines like “Open source code is unsafe and risky because of its rampant use, claims report,” it pays to remember Steven J. Vaughn-Nichols’ counterargument: “It’s not the use [of open source that creates security risks], it’s the irresponsible use that’s the problem.”
We may be steering toward a more fundamental concern. As Ivanti’s Chris Goettl posits, “Security threat actors will always move faster in creating security exploits than most companies that they target.” How much faster? Well, according to RAND research, although it takes just 22 days for a security threat actor to capitalize on a known threat, that threat can sit unpatched for roughly seven years. This can be due to unmaintained code still being used (quite common), or simply because the enterprise fails to patch a publicly known vulnerability.
With all our newfound interest in funding security software, it makes me wonder if we shouldn’t be investing more money in developing a security mindset. A company’s security posture is only as good as the people who administer it. The Open Software Security Foundation is right to put security education first on its list of areas that must be addressed to improve security for open source, though the same principles largely apply to any software.
Recently, some big enterprises made big bets on open source security, committing $150 million to help secure key open source infrastructure. It’s a great initiative but I believe that it doesn’t go far enough. Security is always about people and processes, both of which can be assisted with automation, but unless the folks tasked with securing their enterprise software are trained in how to think about security in open source or otherwise, no amount of cash is going to buy us security.
Indeed, as Alissa Irei writes, it takes training as well as agreement across the enterprise as to which systems should be prioritized for security maintenance. In Irei’s article, Doug Cahill, senior analyst at Enterprise Strategy Group, makes the point that “there’s just a flood of patches. The larger and more heterogeneous the organization, the less practical it is that all systems are going to be current at all times.” Given the deluge of systems that need patching, smart companies will step back, assess, and prioritize the software that supports the most critical applications.
It can also be the case that a patch can create more problems than it solves by breaking compatibility and taking customer-facing applications offline. But in these areas, as ever, the key is training people and building processes. This is a long way of saying that before you start bragging about spending big on security, make sure you’re spending it in the right areas. To see how you’re doing, check your answers to these nine questions about cloud security.