Erlingsson has 25 years of experience leading technology efforts in computer security, privacy, and machine learning, as well as distributed systems. Prior to Lacework, he was a former Apple and Google exec focused on privacy and ML.
The cloud will get more complex
According to Erlingsson businesses need to be braced for increased complexity: “The complexities of the cloud are only increasing as more applications and workloads are migrated to the cloud. This dynamic will likely never change. Cloud capabilities continue to expand, and most companies’ workloads already comprise several generations of cloud technologies, often span multiple different cloud providers, and increasingly involve a web of third-party SaaS services. The cloud is different from on-prem operations, and in many ways more difficult, which is why you need security tools and processes in place as soon as possible. Some companies are just starting their move to the cloud and while others are already well on their way, they’re all learning about the many challenges that come with that transition. In particular, moving to the cloud necessitates developing a continuous development and operations culture, since the cloud is based on frequently-upgraded services and open-source software—which itself requires adopting secure software development practices and a shift-left organizational change.”
Companies won’t be able to build out cloud security by themselves
Instead they will need to leverage technology partners, explains Erlingsson: “It takes years for organizations to set up security teams and processes, and it’s just not possible to build all of that from scratch for the cloud in a tight time frame. To move quickly, but without undue risk, companies need to choose a security technology partner that can automate most of the heavy lift, and this technology cannot be a point solution, or a set of disparate point solutions that require difficult integration. Rather, the technology must be a platform that enables a base level of security across the myriad aspects of the customers’ cloud. And to provide value in a timely fashion, this platform must not only be easy to adopt, but also easy to use, even by employees without a deep security background (e.g., devops). Only with such help will companies be able to move into the cloud in a secure manner, and enable their teams to move fast and fully utilize the benefits of the cloud.”
The responsibilities of CISOs will continue to expand
In recent years the head of information security has an increasingly involved role, and this is set to continue. Erlingsson predicts: “The job of CISOs has greatly expanded over the past few years, and will continue to do so. CISOs are already in charge of ensuring business compliance, hiring the right people, implementing strong threat management, and getting vulnerabilities under control. Increasingly, CEOs and boards are giving CISOs an even larger mandate, and asking them to drive the probability of intrusions, data exfiltration, ransomware, etc., to effectively zero. To fulfill this increased mandate, CISO need not just increased influence (e.g., become part of the C-suite) but also increased empowerment—but this won’t mean a greatly increased budget in the current economy. Near-completely preventing security breaches is extremely hard, and CISOs won’t have the time or the resources to build solutions out of point solutions. Especially for new domains, such as the cloud, CISOs will need to look for third-party technologies that span large parts of the problem, and are based mostly on automation (not manual toil), to augment the capabilities and strengths of their teams.”
Proactive risk mitigation will be required
To address cybersecurity, Erlingsson finds that increasingly “Business leaders are expressing a desire to be truly secure, i.e., prevent security issues from arising, as opposed to only having aircover for when things go wrong. It’s exciting to see companies motivated to take on this challenging task. This trend seems to be a result of new, stricter security-disclosure regulations, more concerns about operational stability in the face of increased security incidents, such as ransomware, and a new understanding (even at the board level) that preventing security issues can be more cost-effective than mere compliance. As a result, companies will be looking for security technologies and platforms that do not just offer monitoring and reporting, but also provide preventative measures, such as locking down the network or making software immutable.”
The supply chain risk will continue to be a major concern
2022 was challenging for supply, especially in relation to computer chips. 2023 promises further challenges: “The coming year will see an increased need for companies to understand the composition and behavior of software used throughout their organization, and especially where vulnerabilities exist, and how to prioritize them. The phrase “shift left” is used to describe how security can be incorporated into earlier stages of the software development lifecycle. This shift left is especially important for cloud software, which is typically under continual development, whether because of newly-discovered security vulnerabilities or because of new features. Even if your own developers never make any mistakes, because open-source software and cloud services are ever changing, there is always a chance that new vulnerabilities and security issues will be included into the latest software build. At the highest level, the risk of the overall software supply chain is an issue that the software industry is still struggling to address. The sooner (i.e., further left) such risks can be mitigated, the more likely you are to have a good security outcome.”
Security and developers will need to work as a team
In terms of the best way for firms to address these topics, reconfiguring functions to create more teamwork is a must.
Here Erlingsson opines: “Cloud software developers are constantly worried about breaking things when they push code into production. When security teams collaborate to act as a safety net that helps catch devops mistakes early, the relationship between the teams can greatly improve, such that developers start paying more attention to the security aspects of their code. And, when empowered with the right technologies, security teams are in a unique position to help developers understand the implication of their code changes, e.g., based on security’s view of how that code is actually used in production. For example, if security can help a developer understand not only that their code has a SQL-injection problem, but also get visibility into that this code executes at scale on front-end services accessed by arbitrary users, that developer is far more likely to fix the issue early, before it’s a problem. Conversely, security can help devops understand that certain vulnerable code is only used on a certain low-traffic back-end system, accessed only by authorized administrators, and thereby help developers more efficiently prioritize their work. The security team’s visibility into what is actually happening in operations is the key for security and developers to improve their relationship, and learn how to support and help each other.”
Securing cloud operations is impossible without comprehensive visibility
Erlingsson’s final thoughts are about understand the nature of the cloud and its associated security. He recommends: “If you want to actually secure your cloud, you need comprehensive visibility into your cloud operations. And, here, visibility does not just entail collecting all security-relevant records and logs about assets and behaviors, since that might result in a huge unstructured pile. Rather, visibility requires aggregating a summary view of your cloud environment that can be understood by both security teams and devops, and allows them to understand the architecture of their operations, and identify aberrations and unexpected changes. And visibility requires collecting all relevant context about assets and resources, their location, configuration, accessibility, etc., because both security and devops need that context to be able to quickly investigate and remediate any incidents or alerts. Finally, if visibility is not comprehensive, there will be blind spots, and security teams won’t be able to properly quantify, prioritize, or manage risks.”