Introducing Reflexive Security for integrating security, development and operations

By the CSA DevSecOps Working Group

Organizations today are confronted with spiraling compliance governance costs, a shortage of information security professionals, and a disconnect between strategic security and operational security. Due to these challenges, more and more companies value agility and integrated operations. In short, a security management program must now deliver more for less to match the needs of becoming cost efficient.

How can organizations accomplish this task? In order to answer that question, CSA recently published a document defining Reflexive Security, a new framework that addresses today’s increasing risks and cybersecurity threats.

Information Security Management through Reflexive Security — Six Pillars in the Integration of Security, Development and Operations

This document provides a flexible framework that:

• Focuses on collaboration and integration
• Is outcome-oriented
• Provides a “reflexive” response to risks.

The word “Reflexive” comes from the reflexive relation in mathematical sets, where every element in such a relation is related to itself. In Reflexive Security, every action taken is related to the context of the security at hand and needs of the organization itself.

Reflexive Security versus ISMS

While the information security management system (ISMS) approach is well-defined by the International Standard ISO/IEC 27001, organizations who thrive with agile development or other collaborative-oriented processes have found it valuable to use the Reflexive Security framework. They value it for its non-prescriptive, holistic, needs-based, and interactive approach, especially with their existing activities that are already tightly-integrated.

Reflexive Security builds on the examples from Agile development and DevOps movements, and is solely focused on a collaborative and integrated environment. It is especially suited for cloud environments, which are crucial for facilitating efficiencies for development and operation teams. Compared to the ISMS approach, Reflexive Security is like using Agile software development versus the Waterfall mindset.

Reflexive Security also emphasizes security across organizational roles that reacts to external and internal threats. Similar to the body’s immune system, Reflexive Security values the balance of decentralization and centralization over a top-down leadership approach. This is so responsibilities and activities of information security management are infused to all members of the organization.

The document describes the core principles of Reflexive Security in “Six Pillars,” which leads to the “Six Benefits,” and also explores a number of strategies for the fulfillment of this framework.

The Six Pillars of Reflexive Security (abbreviated as “RAMPAC”):

• Responsible collectively: Security leadership plays a shepherding role for information security within an organization; everyone is responsible for an organization’s security.
• Pragmatic: Security should provide value, not a hindrance.
• Align and bridge: Organizational risks and requirements must be fully aligned in order to derive maximum effectiveness and value from security processes.
• Automate: Automated security practices are the core of optimizing process efficiency.
• Measure and improve: Performance that cannot be measured cannot be improved.
• Collaborate and integrate: Arguably the most important Pillar. Security can only be achieved through collaboration, not confrontation. A security-aware and collaborative culture is necessary for everyone to feel comfortable reporting potential anomalies.

The Six Benefits of Reflexive Security:

• Human-centric: Security is integrated and internalized as an aspect of everyone’s work, and requires mind-share within every employee.
• Elastic: Growing maturity of a Reflexive Security approach could lead to achievement of formal ISMS requirements, while being flexible enough to only target critical areas for maximum value based on actual risks.
• Apt and holistic: Focused on business needs and responding to the actual risk context faced by the organization when compared to traditional information security management.
• Resilient: Security no longer relies on a single security function, but security practices are integrated with business processes and embedded throughout the organization.
• Tailored: Prioritized approach to provision stronger protection to core or more vulnerable processes over those less exploitable.
• Dynamic: The protection of business goals is performed by integrating security with business processes, allowing the organization to react faster and more effectively to threats and incidents.

Key Takeaways

Reflexive Security is an information security management strategy that is dynamic, interactive, holistic, and effective. It represents cultural practices extrapolated from existing collaborative concepts and practices, and provides a set of widely implicating and easily understandable principles that affect an organization’s cybersecurity posture. This approach is especially suitable for organizations operating under resource and personnel constraints in today’s fast-paced and challenging cybersecurity landscape.

Interested in learning more? Download this research report here: https://cloudsecurityalliance.org/artifacts/information-security-management-through-reflexive-security/