"Trying to solve this with just technology is what got us into the problem in the first place."
Sebastian Avarvarei, Director for Security Advisory Services Europe at Wolters Kluwer discusses converting technical risks and converting them into business risks when communicating with business leaders with Dr Paul Lewis, Senior Director of Cloud Security, Elsevier and Chad McDonald, CISO, Digital.ai. Hosted by Thom Langford, Founder, TL(2) Security.
View the full Webinar here.
DevSecOps-- is it solvable by technology? Is this a technology problem that we just need to roll something out a lot better, or even roll out a methodology agile or whatever? Is this a technology issue or a framework issue that can just solve this? Sebastian, why don't you go first.
Well, definitely not a technology issue. Although technology can help, it's mainly a collaboration and process issue. And linking to the other presentation is also an issue of linking all the stakeholders from the business to the technical, with the development team into the same cycle. Into the same process.
Trying to solve this just with technology is actually what got us into the problem in the first place. Because we started in IT and then in security to look at IT just for the sake of IT. Looking at security just for the sake of security without properly explaining to the business that ultimately, security for example, is just a quality aspect of the business product.
It's not a goal in itself. We don't do security to protect computers, to protect servers. We do security to protect business assets. To protect revenue. And to answer a question that was earlier in the chat, how do we explain this to the business?
By talking in the language they understand. By converting risks, technical risks, into business risk and quantifying that in dollars and euros and pounds. That's the common language. And if we tell them, yeah, you have CVS score of whatever for this vulnerability, as a business manager, what does it mean for me?
Well you actually stand to lose 10 million because of fines, because of customer impact. OK. Now I understand. So you want me to spend half a million to protect those 10 million. OK. Makes sense.
Yup. That makes sense. I think one of the interesting things, as I've progressed in my career-- so like yourself, I've been doing this for a number of years. And I started off as a deep, technical, crypto guy.
And then over time I've realised actually that a lot of the issues and problems and not technological focused, but they're cultural, they're communication issues about not being able to speak the same language, as you quite rightly said Sebastian.
But also understanding what the business driver's eyes absolutely crucial. Because if you're designing and building something which nobody wants to buy, for example, then that in itself is it is a waste of money, time, and effort.
So I think the best solution for a security person, maybe controversial, is not to actually be seen because everything seems to be going OK and you're actually doing the right thing from an outside perspective.
Agree. I think the one thing that I would add in there is, in my experience certainly in the last few years, the business has attached itself to compliance. Compliance is unequal security. So you get questions-- but we're GDPR compliant. But we're CCPA compliant.
Well yes, but that doesn't mean that you're secure. Two separate situations and you can be secure and non-compliant and compliant not secure. And having a business person, again, it goes back to vocabulary, understand that is a bit of a challenge.