What is adaptive security?
Just as surely as night follows day, a new buzzword enters the scene. This time it’s ‘adaptive cybersecurity.’ You can file this one under things that we’ve always done (or at least should have done) that someone’s now invented a new word for.
Adaptive cybersecurity is exactly what you think it is: an approach to security threats that acknowledges that because threats are evolving and changing, you, as an organization, need to be positioned to be able to identify, monitor, and minimize risks as and when they occur.
An article in Forbes argued that 2021 is the year of adaptive cybersecurity. Make of that what you will, but the writer cites a range of reports that have been illustrated that the concept has staying power. PWC research, for example, indicates that “55% [of research participants] are seeing their cybersecurity budgets increase in 2021 over 2020, with more automated, adaptive cybersecurity being the goal for this year.”
There are a couple of reasons why the concept is starting to gain traction in the tech press and analyst reports.
There are two reasons why artificial intelligence is driving discussion about adaptive cybersecurity. On the one hand it enables in-depth and large-scale security monitoring, allowing security teams to identify anomalies and suspicious activity in a way that would have previously been impossible. On the other, it is also driving changes in threats, allowing cybercriminals to do something similar: exploit data at scale to identify vulnerabilities to launch attacks with greater ‘intelligence’.
Distributed software infrastructure
The evolution of software infrastructure from monolith to microservices demands different things from security teams. While it undoubtedly presents some distinct security benefits, it also poses a number of challenges. In short, it demands a holistic perspective on your security posture; it forces engineers and analysts to think about how different parts of a system interrelate. This makes adaptive cybersecurity more important because your system itself is more dynamic — you need to be able to adapt your security as your system evolves and changes.
Aren’t you being unfair? Is it really just a buzzword?
This is a fair point and worth considering. Software is changing, the threat landscape is evolving, so naturally we need to do things differently. As much as it’s easy to dismiss the market as cynically creating a hook for a new wave of products, it’s important to acknowledge that the products being tracked by researchers and analysts have, for the most part, been built with emerging user needs in mind. In other words, something most definitely is changing, even if a phrase like adaptive cybersecurity is one that benefits sales teams more than it does the people actually responsible for implementing and managing security and data protection strategies.
However, phrases like ‘adaptive security’ obscure the fact that the shift shouldn’t start with new tools and platforms; it needs to begin with culture. And before that’s dismissed as something vague and impractical, consider how security is as much about what people can, can’t, should, and shouldn’t do — who has access to what, who’s able to make changes and who isn’t.
Do the groundwork
So, if adaptive security is really going to be a ‘thing,’ it’s essential that we talk first about the groundwork we need to do:
- How do we change our development processes?
- How can we ensure more consistency in our build processes?
- How can we tighten testing?
- How can we bridge the gap between each step in the development lifecycle?
All those questions are difficult to answer. And, to make life even harder, they’re questions that you need to continue to ask. So, if you’re already doing DevSecOps, that’s great, but is it enough? Is it working? What else could you do? Indeed, are you even measuring the right things?
It’s only when teams and organizations can say that they’re really thinking about software security in that way that they can say they’re truly ‘adaptive’. And however much industry analysts, consultants, and vendors, think they can push greater security through new and exciting products, the market will only be worth the value being touted if individual organizations are prepared to be ‘adaptive’ in their thinking.