Policy as Code: Enabling Robust and Achievable Security for Organizations

Policy as Code allows CIOs to focus on driving innovation without compromising on security or putting the organization at risk.

Introduction

Not a week goes by that we don't read about a catastrophic security breach or incident at some unfortunate company. CDK is the latest one, but there are thousands of examples ranging from hospital systems and casinos falling victim to ransomware schemes, to massive leaks of consumer information from credit raters and banks. Naturally, the government wants to do something to mitigate these breaches, and protect consumers, as well as keep critical applications and infrastructure working.

In 2013, President Obama signed an executive order stating that all companies who wish to do business with the federal government, as well as their vendors and subsidiaries, need to meet the requirements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

The NIST Cybersecurity Framework provides a robust and flexible approach to managing and improving cybersecurity practices within organizations. By following the framework, organizations can better understand their cybersecurity risks, prioritize their efforts, and ensure that they have a resilient cybersecurity infrastructure in place.

However, there are challenges to implementing the framework. For example, a business may put up all the cybersecurity resources needed to meet all the requirements to pass a NIST CSF audit in order to certify themselves, only to realize that the cost of these services is unexpectedly high. An employee who doesn't understand the value of cybersecurity, or of mitigating these risks, or of high level legal/contractual requirements etc. may tear down these resources without the business being aware of it to reduce costs, leaving the organization open to cyberattack and threats, and in breach of federal contracts, increasing organizational liability.

Additionally, the complexity and high stakes associated with robust security can be overwhelming, diverting attention from innovation to compliance. I have worked with CTOs who stated that 80% of their time or more was being spent on meeting NIST CSF requirements and working with auditors. With most of their focus turned to compliance, innovation took a back seat, as well as the purpose and meaning that they were looking for in their lives and work. They were stressed out, burned out, and seemingly just "treading water" to stay ahead of the numerous (and endless) security requirements being identified via their security scanners, EDR, and Cloud Security solutions. Pile on top of the security requirements additional compliance regulations for PCI, PII, HIPAA, and FINRA (depending on the nature of the company's business), and they were on a compliance "hamster wheel" that just kept building up. Meanwhile, their products were facing technical debt, and not adapting to the rapidly changing world of technology (for example, falling behind with AI integrations and the creation of new business verticals to delight their customers).

The Stakes Are High

The ubiquity of breaches and the severe consequences of failing to meet security standards cannot be overstated. The financial and reputational damage from breaches can be catastrophic. Moreover, failing to meet Security Scorecard requirements can result in insurers refusing to pay out claims, further exacerbating the financial impacts of a breach.

Legal implications are significant. Courts increasingly hold companies liable for failing to meet security requirements, with negligence claims leading to substantial financial penalties. CIOs must demonstrate that their organizations are making good faith efforts to comply with security standards to mitigate these risks.

So, given these challenges, how can CIOs make security achievable for their organizations? Striking a balance between security and core business strategies is crucial. The security and compliance layer needs to be abstracted into an achievable process that does not consume the majority of CIO or CTO bandwidth.

Policy as Code: A Game Changer

One way to achieve this is to enable a "low barrier to entry" for security by leveraging "Policy as Code" to integrate the requirements of the NIST CSF (and any other legal requirements from laws or treaties) directly into the scripts that manage their technical infrastructure. In other words – make security easy and achievable. Make the goalposts clear and consistent. And enable audits to be a painless process that takes a matter of days to complete instead of weeks or months. In doing this, you can re-energize the CTOs in your subsidiaries by enabling them to focus on the true reason they signed up for the job – innovation, delighting customers, and moving the dial for the business.

Policy as Code is revolutionizing how organizations manage security. By defining security policies directly into the "Infrastructure as Code" scripts, CIOs can automate and streamline the implementation, monitoring, and enforcement of these policies across their infrastructure. Tools like Terraform (or Open Tofu, the open-source fork), Sentinel, and OPA Gatekeeper in Kubernetes enable the creation of a robust security framework that is automated, repeatable, and self-documenting, enabling speedy audits. Policy as Code can allow companies to focus on strategic initiatives rather than compliance details, because the requirements are baked directly into the automations that manage the infrastructure and applications. This liberates CTOs to focus on product improvements and enhancing user experiences, rather than on the "hamster wheel" of compliance hygiene. The Autonomy, Mastery, and Purpose of the CTO is absolutely critical to the success of any tech business, over and above any compliance needs.

Demonstrating Good Faith with Policy as Code

By adopting Policy as Code, CIOs can provide tangible evidence of their commitment to security. This approach ensures that security policies are consistently applied across all business units (corporate, as well as subsidiaries) and simplifies the auditing process. Terraform and Open Tofu also detect drift when security infrastructure is modified or torn down. So harkening back to the example of the well-meaning but misinformed employee who tears down the cybersecurity infrastructure – this change would be detected by Terraform as drift and Terraform would automatically reestablish the intended state of the resources, ensuring security requirements continue to be met over time.

This automated, declarative approach to security not only improves the organization's security posture but also ensures that any changes introduced are documented and aligned with the established security framework. In the event of a breach, this documentation can be crucial in demonstrating that the organization had robust security measures in place, potentially mitigating legal and financial repercussions.

Making Security Accessible

Security-first development, where security is integrated into every part of the platform rather than treated as an afterthought, is essential. This approach ensures that security is a fundamental aspect of the development and deployment processes. By abstracting the infrastructure security layer via Policy as Code, CIOs can make security accessible and manageable, even for organizations with limited resources. One way to socialize these policies and best practices that is more effective than the "classic" way of sharing a robust policy document (to be interpreted by each recipient individually) is to provide your corporate business units and subsidiaries with reference architecture (Terraform modules) that can be published via a "cybersecurity center of excellence", so everyone can easily implement the approved security measures into their environments, enabling rapid security compliance across an enterprise through standardization and best practices.

Policy as Code empowers CIOs to build security into the DNA of their platforms. This enhances the overall security posture and reduces the burden of manual compliance efforts, as well as reduces the proliferation of different technology stacks which in itself presents a compliance and governance challenge. This allows CIOs to enable scalable environments for their subsidiary companies that support innovation and growth, but do not compromise on security.

Conclusion

Security should not be an insurmountable challenge for CIOs. By adopting Policy as Code and leveraging Infrastructure as Code to declare how the infrastructure will meet the requirements of frameworks like NIST CSF, CIOs can achieve robust security with a low barrier to entry. This approach automates security processes, simplifies compliance, and ensures that security is an integral part of the development lifecycle. Ultimately, this allows CIOs to focus on driving innovation without compromising on security or putting the organization at risk.