In the world of product security and compliance, there’s no shortage of leadership, at least on the surface. But “leadership” doesn’t necessarily mean the same thing across individuals, companies or industries. Practically, what traits should a leader in IT security exhibit? What should they be doing…or not doing? And why do these specific actions matter?
Just like the nature of leadership itself, there isn’t an objective answer here. Red Hat (and I personally) have been deeply involved with software and systems security for decades, which puts us in a good position to explain what security leadership means in our eyes. Unsurprisingly, given the open source nature of Red Hat, I feel that you can’t be confident in a claim of security leadership without participation as a starting point.
A security leader helps raise the tide
“A rising tide lifts all ships” is how the saying goes, and this couldn’t be more true in the world of software security, especially in open source. It’s rare that a bug or exploit in a foundational technology, like the Linux kernel, or a change in compliance (i.e. STIG) requirements will only affect a small set of vendors. This makes it vital that security leaders actually get their hands dirty and participate in finding, fixing and analyzing these issues.
Just like you can’t call yourself a leader in an open source community that you’ve never actually contributed to, the same can be said for security. If an organization simply talks academically about how to fix a challenge or the need for a specific standard, but does little to actually get the work done, that’s not leadership. Talking is great to start, but then things have to make it to paper and eventually to a standard with, where necessary, accompany code, rules and guidance (i.e. CSAF or CVSS) - leaders make this happen and don’t wait for others to pick up the pen or the keyboard first.
Leaders are also open to sharing their expertise. Red Hat recently open sourced its product security’s incident response team (PSIRT) plan (IRP), being one of the first organizations to do so. Enhancing the security of our products is a critical need for us, but the model itself has even greater value to the broader security community. We wanted to show our framework to more organizations involved in IT security, as we believe it can only help improve the overall stance of the industry at large.
This participation showcases another characteristic that I feel security leaders need to bring to the table - a commitment to commonality.
Security leaders break silos
Bespoke processes and tooling are the enemies of modern IT, causing divides in operational teams and fragmenting systems into tiers rather than holistic entities. The same is true on the product security front - too much fragmentation and not enough commonality leads to white noise and, potentially, greater risk of vulnerabilities being exploited.
Red Hat has been heavily involved with many industry-wide efforts aimed at delivering common standards that provide actual information, not just “more data.” From CSAF and CVE to CVSS and FIRST, we’ve actively helped to create, maintain and evolve standards that function at scale and across industries. The only way to maintain a strong security posture at scale is with standardized approaches - this means that whenever a bug or exploit is discovered, organizations should be able to talk with all of their vendors in the same language.
No end user organization is ever using a single vendor but when a vulnerability lands, customers want all of their vendors to reach out to them with answers. Because the technology and threat landscapes are dynamic, this means that these standards cannot remain static.
It also means that security leaders cannot settle.
Security leaders don’t idle
Even when security leaders aren’t leading, they should be working behind the scenes. This could be informal leadership within specific working groups or helping an organization leading a project to actually get things done. They also keep an eye on emerging trends in IT security, including from where the next set of customer needs or pain-points may emerge.
For example, right now, the software supply chain has taken center stage in how we as an industry deliver greater security, validation and provenance to the code that eventually underpins systems in production. To address this need, various industry groups have coalesced around the software bill of materials (SBOM), which aims to provide assurance on where code is derived, who accessed it and if it has been modified.
The various product and IT security leaders involved in this effort, of which Red Hat is one, are exploring how existing work can fit the needs of SBOMs or Vulnerability Exploitability eXchange (VEX). Essentially, these leaders are looking into how what’s being done on CSAF, vulnerability exchanges and more can apply to an emerging area. This is IT security leadership in practice in the real world, solving challenges that have only begun to emerge.
In my eyes, this is what security leadership looks like - it’s cross-industry and cross-functional participation, finding ways to create common standards and never standing still. This is what Red Hat has long done in the open source world and what we’ve expanded to encompass in open source security.
In our next post in this series, we’ll talk about the value of security data and how to use it.
저자 소개
Pete Allor is the Director for Red Hat Product Security covering the full Red Hat portfolio. He is active in various industry security forums for incident response reporting and secure development, such as NIST and CISA industry calls for input as well as FIRST (first.org), CVE and ISO / ITU / OASIS standards on security.
He is a former Board of Directors Member of FIRST, the Information Technology ISAC and a member of the Executive Board for the IT Sector Coordinating Council. Allor previously worked for Internet Security Systems, IBM and Honeywell. He is a retired US Army Officer.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.