“It’s a war zone out there. When it comes to IT security, we’re in the fight of our lives, and we’ve got to bring every possible weapon to bear against our enemies.”
These days, it’s not uncommon to hear that kind of talk from security professionals. But isn’t warfare too easy a metaphor? Sure, today’s IT security situation is challenging. But if we’re waging an IT security war against bad actors, we’re not winning.
Perhaps it’s time for a new metaphor. What if instead of comparing our security practices to a battle to stave off imminent destruction, we thought of security as nurturance—something that works as a resource, not an obstacle, for the organization’s overall success?
That’s the premise of the latest episode of the New Relic Modern Software Podcast, with special guest Esteban Gutierrez, New Relic’s director of information security. Esteban has more than 20 years of experience in the field, and he joins me and my co-host, New Relic developer evangelist Tori Wieldt, to discuss his innovative approach to information security.
You can listen to the full episode right here, or download all the episodes automatically by subscribing to the New Relic Modern Software Podcast on iTunes, or wherever you get your podcasts. Read on below for a full transcript of our conversation, edited for clarity:
New Relic was the host of the attached forum presented in the embedded podcast. However, the content and views expressed are those of the participants and do not necessarily reflect the views of New Relic. By hosting the podcast, New Relic does not necessarily adopt, guarantee, approve, or endorse the information, views, or products referenced therein.
Kevin Mitnick made me do it!
Fredric Paul: Esteban, before we delve into your ideas about security as nurturance, can you tell us a little bit about your background in information security? What’s your role at New Relic, and what did you do before joining us?
Esteban Gutierrez: I’m the Director of Information Security, and I’ve got two teams working under me: the Product Security team, and the Infrastructure and Operations Security team.
The Product Security team is focused on all aspects of the security of our product, including development, deployment, and delivery to our customers. The Infrastructure and Operations Security team really focuses on the rest of our environments: all of our IT environments, our corporate environments, office networks, client computers—like laptops and whatnot—and the infrastructure that underlies everything else.
Fast-forward to college: I worked on a linguistics and psychology degree, and I actually used the beginnings of the web for a lot of research and sharing my data with other researchers.
As far as security is concerned, I guess you could say I started in 1995. I was working at an ISP in Southern California with a fellow named Tsutomu Shimomura, who came in exclaiming that he had caught Kevin Mitnick. That kicked off my curiosity about what was going on in that space, and I moved over from systems administration to security.
Fredric: So, Kevin Mitnick is responsible for you getting into the security field? That’s awesome.
Esteban: I haven’t told him as much.
What’s wrong with “security as warfare?”
Fredric: Most people think of information security as warfare—as a battle. What’s wrong with that? Aren’t we trying to fight the bad guys?
Esteban: I see two issues with viewing information security as warfare. One is that the adversarial thinking that we use in working out a metaphor of warfare ultimately leads to treating everyone as a potential enemy.
Second, we treat it like a zero-sum game that we could just win by completing some task or process: As long as we patch all the servers, we’re good. As long as we close all the holes, we’re good. As long as we find all the security vulnerabilities and work on them, we’re good. Yet all of that takes away from the livelihood and growth of the business itself.
A culture of warfare is one of secrecy—adversaries and urgency, right? A need for urgent action against enemies. When you’re focused on all those processes alone, then you’re really just working on the security controls, or the firewalls, or just building out more and more roadblocks to what people care about: doing the work, getting the business out the door, deploying applications, and getting services to customers.
Tori: So you’re telling me we can’t win? Is that what I’m hearing?
Esteban: I appreciate your desire to win, but I assume you also want to have a really good business. You want to have fun working. You want to make great software like we do here at New Relic, and you don’t need to win in order to do that. What you need to do is make sure that the things you do in order to make great software are protected, so that you’re actually making sure that you can produce work safely and securely, and get product out the door.
Fredric: So, the idea of winning doesn’t really make sense. If you win the infosecurity battle but lose the larger issue of being a successful company and having successful software, that’s not getting you anything?
The perfect firewall is a wire cutter, but…
Esteban: That’s not getting you anything at all. The perfect firewall is a wire cutter, right? But what’s the point in doing security if you don’t have a business to secure?
Fredric: I think that’s a really critical issue. And so, you are trying to take a different approach. You’re trying to let information security be seen as an enabler, not a blocker.
Esteban: That’s right. It works primarily in a way that’s represented by what I tell people on my teams: Relationship management is their first job above everything else. If we’re not connected to what people care about, what teams care about or what the businesses cares about, then we really don’t know what our goals are. We don’t really know what we’re going to protect.
Fredric: And to describe that, you’ve come up with a replacement for the warfare metaphor: security as nurturance. Where does that come from?
Esteban: Like I mentioned earlier, I have a linguistics background. And in the long-ago past, I did some work on metaphors and the way that metaphorical thinking impacts how you perceive the world and how you live your life. I just noticed that there was so much warlike thinking focused on things like DMZs, and bastion servers, and intrusion monitoring, and kill chains.
A lot of the processes tools that we use are very combat or warfare-focused. It just seemed like this isn’t getting us anywhere. I still think it doesn’t get us anywhere. People ignore security policies and guidance because it often gets in the way of what they’re trying to do. If we’re focused on blocking, intercepting, and negating behavior that’s critical to so much of the work that people do today, then information security is an obstacle—not a resource.
What I like to bring to the fore is: What is it that people are trying to accomplish? What is it the business is trying to do? What is it that people care about? And now, let’s figure out what we need to do to protect those things.
Security as nurturance takes a lot of work in terms of being connected to the business and being connected to people. It’s really about using security to protect the productivity and growth of the business. It’s about making it safe and secure for people to do the things that are important to them. It’s about ensuring that security connects with the value of what people are trying to accomplish.
There are always risks in information security
Tori: This sounds like a really interesting approach. But are there risks to consider, compared to a more adversarial way of looking at things?
Esteban: The approach by itself isn’t complete. For me, it’s more about a philosophy that drives other processes, and technology, and changes. At the end of the day, we still need to worry about a determined attacker or someone who has it out for a company or business. But as far as the day-to-day business of security is concerned, as far as the day-to-day work that we do with others, either within a company or in our own lives, we don’t need to treat this like a war.
Fredric: How does that approach play out in the real world? How does it change a security team’s day-to-day practices?
Esteban: Like I mentioned earlier, there’s a strong focus on relationships: connecting and spending time with the engineering teams and with the people that make up the business. We have to understand what they’re trying to do and how they’re doing it, so that we get a sense of their stories and their day-to-day lives. So, it’s about connecting and building relationships.
We also have to focus on getting visibility into the data and on understanding the security context of what’s going on in the environment. We need to understand the impact of new security bugs or holes that are found every day, and to understand how those configurations might lead to a problem later on. And then we need to be very transparent about the visibility that we have and communicating relevant issues.
When we understand that there’s a security problem or a bug with a piece of software or code, we like to spend time with those teams to actually show them how to exploit it. We want to teach them not just how it works but also the impact that it might have on the rest of what they’re doing.
A lot of traditional security teams tend to be pretty secretive about the bugs they find. They don’t want people to know about them because they’re afraid that people will misuse them. But our approach is spun 180 degrees the opposite way: We actually like to share information with folks so that they know exactly how things work. We find that’s really the best way to hook people into caring about security.
Fredric: In addition to changing the rules for security teams, how does security as nurturance change things for other people in the company? How do other employees have to change the ways they approach security in this kind of environment?
Esteban: One way in which we see the impact on the culture here is that people take it more seriously. They actually are interested in security and will often come to us with bugs or issues that they find in their own software or in other software. It’s even fair to say that we have quite a few people in the engineering organization who are security experts in their own right but who have decided to focus mostly on programming, and I think that’s pretty cool.
Real security is all about the relationships
Tori: So, if I’m a security professional, I’m listening to this, and I go, “Yeah, I’ve had it with that adversarial mode.” Can you recommend ways to think about helping their organizations transition to a more nurturing approach?
Esteban: It really is about the connections and the relationships. But in order to do something with that, you need data, and visibility, and transparency. You have to measure different aspects of the environment and get a lot of visibility to figure out what’s going on with things like software development practices, the number of bugs being found with analysis tools, and the impact of vulnerabilities that get released.
We spend a lot of time building out that visibility, and then translating that visibility into dashboards or reports that teams actually care about. We want to show people what’s going on in the environment, and we believe that transparency actually helps with the most critical part of security as nurturance: holding people accountable, and especially letting people hold themselves accountable.
At the end of the day, I think people actually do care about security. They want to do what’s right. They just want to make sure that it is the right thing and not just for the business or for some security standard or best practice, but that it’s actually the right security thing for them, and they can’t do that without the information that we give them.
How New Relic supports security as nurturance
Fredric: Are we living yet in a world where security as nurturance is a widespread approach? And how would you describe New Relic’s place in this transition?
Esteban: I believe that we’re on the way there. A lot of my thinking on this evolved after a few stints at places that have very large security teams, and a lot of people and a lot of money focused on managing IT security. When I came to New Relic, I took the job here because of conversations with Shaun Gordon, our VP and chief security officer. His focus has always been on transparency, and I found that that gelled pretty well with where my thinking was going.
There are a bunch of related efforts in the industry right now that are driving towards security programs that focus on access control, and on letting people get to the data or information that they need based on what they’re trying to do and the trust of those devices. For example, look at the user-focus model, or zero-trust networks, or Google’s BeyondCorp efforts.
There are some other companies that are on a similar path. Etsy is a big one—we’ve looked at a lot of their practices, and they’ve got some great tooling that’s focused on similar approaches to security.
My own thinking on nurturance really gelled when I listened to Lew Cirne, our founder and CEO, talk at an off-site meeting. He spoke at length about New Relic’s approach to visibility and data, and about making sure that we can deliver the right information to people, at the right time, to make effective business decisions.
In my mind, I saw that’s exactly what security needs to do: We actually need to get the right information to people so that they can make the right decisions about security.
Fredric: That’s awesome. What you’re talking about is bringing the New Relic philosophy about the importance of visibility into the security field?
Esteban: It felt almost too good to be true, but I think it actually works out pretty well.
A perfect fit with DevSecOps
Tori: I have a particular interest in DevOps, and I just wanted to hear your take on DevOps and security. We all talk about shifting security left, and we have adopted the phrase DevSecOps to reflect that shift. What do you think about what’s happening there and how it relates to security as nurturance?
Esteban: I think it’s great. I think DevSecOps is definitely in line with the nurturance philosophy. Especially because it’s focused on things like data and transparency, and on really being connected to what engineering teams are trying to do. Deployment life cycles, coding, pull requests—all that stuff is integral to what we’re trying to do. We have to understand not just how people work but what is it that they’re working on.
Another aspect of DevSecOps involves automation and tooling. And the nurturance-culture approach to information security actually relies very heavily on automation to build out that visibility—to translate and transform data into information that’s relevant and actionable to the people that need it.
Tori: I love this, because I think we all realize that in this business, you can’t do it all—whatever it is, automate all the things, or tracking all the data in the world, or plugging every possible security hole. You have to do the important stuff, right?
Esteban: These traditional security practices—even just simple patching—don’t really scale very well once you go to environments that consist of hundreds or thousands of containers that are deployed for very short amounts of time to address a surge in services.
Fredric: Do you have any advice for companies that might want to move to a more nurturing model and get away from the warfare model?
Esteban: One example is a really great GitHub repo called Stethoscope. This is a tool that actually lets us evaluate very quickly the security status of a laptop, which we can then turn around and use to decide how much access we should give it to the environment—whether or not we should let it VPN into the production network or just let it have access to email. It’s based on things like how well patched it is, how long has it been running, how many users are using that system at that time, and so on and so forth.
How do you measure security success?
Fredric: In this transition to a new security approach, how do you judge success? What are the KPIs for knowing whether your move to security as nurturance is working?
Esteban: That’s a really good question, and it’s one that I’ve been spending a lot of time thinking about recently as we try to evolve our practices in that direction. Some of those KPIs, I think, are going to be attached to the stories that the users or the business have, in terms of things like deploys, getting services out the door, or maybe the cadence and speed at which things like minimum marketable features or sprints are worked on. There’s a need for us, as an information security team, to keep up with those things so that we can continually understand what people are trying to do, and also assess and give them the information they need.
For New Relic, there are some KPIs related to how many reviews we can do, how much inventory we have access to—and by that I mean digital assets like the number of systems or containers or servers that are out there. One big measure is how much visibility do we have into what people are doing and to the technical environment itself.
There are a few other KPIs more related to security itself. One that we’re focusing on is mean time to detection (MTTD): How quickly can we detect issues in the environment, and then turn around to deliver that intelligence to people who can take action? It depends heavily on things like inventory and visibility because then we can look for deviations in our environment. Then we can turn around and give that to folks who can then say either, “Okay, I think this is a problem we need to work on,” or “Actually, no, that’s not a big issue to our environment, so we can take some more time on that.”
How infosecurity is like raising a child
Fredric: Anything else you’d like to share about security as nurturance?
Esteban: Security as nurturance is important to me for a lot of different reasons. I have a 14-year-old daughter, and the more I think about raising her and what I need to do to protect and enable her as she grows and develops and becomes an adult, the less that idea of taking that traditional masculine approach—of sitting on the porch with a shotgun—appeals to me.
For one thing, that approach seems to remove a lot of agency from her. (There’s a theme there of agency, of enabling teams to be able to do what they need to do.) It’s important for me to be connected to my daughter, and to understand what she needs to get done. I want to help her develop the skills and knowledge to do those things, but I want to do them in a secure way—to enable her to think about risk as she moves along in her life.
Note: The intro music for the Modern Software Podcast is courtesy of Audionautix.