What's All of the Talk About?

A Look Back at Ed TALKS 2021

Over the course of 2021, Ed TALKS shows have covered much ground and a wide variety of topics. The uber-theme that ran through all 12 of these Ed TALKS is that software is now, indeed, running every system we use. We are more critically dependent on software than we’ve ever been. The software we build, buy, and borrow must be secured; yet we struggle with how to do that at each of those critical decision points. At the same time, we have three related trends: 3rd party risk, cloud complexity, and breaking old habits.

• Cloudy at the Breach
• Third-Party Software Risk
• Back to Basics: Security Principles
• IoT & BYOD – Are They Dead, or is it Now the Enterprise of Things?
• Are We there yet? Measuring the Effectiveness of InfoSec Programs
• Securing Microservices in Today's Fast, Feature-Driven SDLC
• Security Upskilling Software Teams
• Stealing the Attackers Playbook with Purple Teaming
• Privacy in a Gossipy, Digital World
• SolariGate – Avoiding the Supply Chain Burn
• Fast-Tracking Software Assurance
• Paying it Forward: Securing Technology in Payment Ecosystems

3rd-Party Software Risk

Third-party software risk became top of mind with SolariGate in late 2020 / early 2021. Then ransomware attacks at Colonial Pipeline and several major healthcare systems halted operations and led to the loss of human life. The growing threat of third-party software impacts every industry: financial systems, telcos, software vendors, and more. Industry experts who joined me on Ed TALKS emphasized the need for increased pressure for security in requirements and design (the shifting left of secure code since most 3rd-party products are out of your control). They also reinforced the need to shift right – by implementing and testing robust mitigating controls in deployment. Third-party and custom-made software are being deployed and updated at lightning speed with the adoption of CI/CD, DevOps, and supporting cloud services (speaking of which…).

The Complexity of the Cloud

As pervasive as the cloud is for today’s modern enterprise, those responsible for securing it still do not understand it well. And who is responsible for securing the cloud is also a point of much debate at many organizations. To reinforce the importance of software, 2022 will see the continued growth of Infrastructure as Code (IaC). Unfortunately, I think we’ll also see the rebound effect of our earlier rush to the cloud. This means we’ll witness (more) massive data breaches due to simple cloud service misconfigurations and authorization/access errors. There is already more than 50% of all corporate data stored in the cloud, according to Statista. Organizations adopted cloud services faster than they could secure them, giving rise to “the Dark Cloud.” This will affect every industry and tech stack.

Traditional Approaches Not Working

For all the talk and bluster about solving the cybersecurity skills gap, we still have a massive shortage of accessible talent. Forward-thinking organizations are looking to create net-new talent by (a) training internal teams, e.g., staffers not currently in cybersecurity and (b) reaching previously untapped talent pools, e.g., underrepresented demographics, such as women and people of color here in the US. 

Another traditional approach that does the same thing and expects different results ties back to our overarching trend: software. Far too many organizations still think secure code means secure software (hint: it doesn’t). Most of the software that runs the modern enterprise is not coded from scratch or built internally. Today’s business applications are assembled, not coded. It’s a simple fact that many leaders don’t (or won’t) accept. 

Combine that with constant release cycles and the number of different people (think job functions) that touch applications as they move along the assembly line. You’ve got a glaring need to educate numerous roles that go well beyond “developer.” 

Looking Forward

I had the privilege to speak with many executives, practitioners, leaders, managers, and thought leaders. They all had a very consistent message: securing software during development and deployment in 2022 will require….

• Security acumen across all work roles (CISO, BISO, ISO, Product Management, Architecture, DevOps, and other tangential software stakeholders)
• Securing the cloud and Infrastructure as Code (IaC)
• Paying close attention to software components (aka “ingredients”), especially 3rd-party dependencies
• Shifting security left and right for improved resiliency and agility 

About Ed Adams, CEO
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.

Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security,  and is a BoSTEM Advisory Committee member.