Security Has Entered the Board Room
Both the economy and methodology of IT security are changing rapidly. And whether they like it or not, business executives are finding themselves involved in more IT security decisions. Executive involvement not only creates consensus (hopefully) in decisions and strategy, it boosts confidence. But when choosing between the growing number of security firms, API capability is not often enough a major factor in the decision—but it should be. They are the only hope for security stack interoperability and the key to the actionable information executives need when deciding security strategies.
According to Richard Clarke, former special advisor to the president, C-level buy-in is critical for security preparedness. At a recent media event covered by eWeek, he discussed why it’s critical for companies to appoint a risk management committee. In fact, some companies are already shifting their security strategies to a risk model that heavily involves executives.
Aetna, Inc. is one example. After getting a wakeup call in 2009, the health insurance giant has evolved its IT security strategy. It now handles security as a business risk rather than individual IT issues that need fixes. Aetna CISO Jim Routh and his team analyze data feeds about potential threats from thousands of systems, then boil the data down to a single daily risk score. To get that daily risk score, Routh’s team has to filter massive amounts of data—and without APIs, those systems would potentially need to be analyzed individually.
APIs: The Internet’s Building Blocks
Software developers use APIs as a sort of shortcut, as they make creating new apps, tools, and services much easier and drastically less expensive. If an engineering team doesn’t have the technical prowess or luxury of time to build a functional component to a new app, APIs from other vendors can be a lifesaver. They can also be more effective than developing a solution yourself. If you were trying to make an app in which a map would be critical, would you try to build a new map?
Known for investing in startups that scale on APIs, Accel Partner Rich Wong explains that it’s easier to add value if you’re not reinventing the software development wheel. In a recent interview, Wong commented, “You can outsource entire swatches of your company to very reliable APIs. Why would you go start your own payments capabilities, your own payment analytics, your own map capabilities when they’re so easily accessible from these other companies and are arguably better?”
APIs are so crucial and simultaneously commonplace in consumer tech that Accel Partners recently held a conference dedicated entirely to the new API marketplace. With a new investment strategy in what Accel calls APX, the venture capital firm is wagering they can create a viable business investing solely in startups that create “composites” by stitching together data from multiple APIs and making it into a new service or product.
But in the security industry, APIs are still somewhat uncommon—and when they do exist, they may only work with a small set of partner companies. This reality means if you don’t choose vendors carefully, your security team may as a result spend immense amounts of time fabricating ways to get their security stack to work together.
Obtaining the Smoking Gun
For incident response to work well, actionable information needs to be at the fingertips of investigators looking for it. This area is where APIs will play an increasingly crucial role for security teams. Multiple security solutions implemented to protect your network means sorting through a host of data feeds, dashboards, threat alerts, policy pages, and so on. APIs can stitch this immense stream of information and functionality together. But for many security companies right now, this doesn’t seem to be a priority.
Companies do seem to be waking up to this fact, however. Facebook recently acknowledged the power of sharing in security. In February the social media company launched ThreatExchange, a social platform for security professionals that conglomerates a collective knowledge from security experts and API threat feeds to assist the community in protecting their companies and customers.
Without API Sharing, You Cannot Keep Up
Unfortunately, as OpenDNS CTO Dan Hubbard pointed out in a recent blog post, attackers are evolving much faster than the security industry. Attacks are becoming increasingly more frequent, more sophisticated, and even cheaper. An enterprise security team without C-level guidance working with a disintegrated security stack, a workforce that is increasingly more mobile, and an eroding network perimeter cannot keep up with the growing number of attacks.
If, as Clarke suggested in his comments, actionable information is the barrier to companies being prepared for attack, the key to obtaining that information is security solutions that have accessible APIs. The key to motivating security firms to develop them, according to Hubbard, is making it a demand during the purchasing process.
“Customers have not yet been demanding APIs during the buying process,” Hubbard said. “That will start to change once more companies realize how important they are.”