Tool Sprawl a Silent Sabotage?

Posted: Wednesday, Jul 09

KBI.Media
$
Tool Sprawl a Silent Sabotage?

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

Tool Sprawl a Silent Sabotage?

From Karissa Breen

Sunny Rao, SVP Asia Pacific at JFrog recently cites how Australia and New Zealand tech leaders are confronting their own ‘broken’ software supply chains.

Ask an enterprise security leader what really keeps them up at night, and the answer is rarely that easy, unfortunately. For Rao, the narrative isn’t one of failure, but the evolution.

“We are always striving to become better as organisations” he comments .

Developers surf the cloud, self provisioning whatever resources they desire, and at the same time, are held responsible for more than just the lines of code they produce. Today, between 80 – 85% of modern applications are stitched together with open-source code; third-party components, that are often vague and are moving targets. Developers are sprinting, security teams are gatekeeping (often too late), and the annoying rework means deadlines slip and tensions start to rise internally.

“It’s not [just] the tool set that slows them down, it’s the workflow.” Rao points out.

The bigger problem is less about tools and more about trust on tools.

“How do you determine what is right? If Tool A says you have 10 security vulnerabilities, but Tool B says you have 20, which one’s right?” Rao asks.

The term ‘single source of truth’ is a common question and debate amongst development teams. More data isn’t more clarity, it’s more contestability and with that slows down the proverbial conveyor belt. As soon as security processes become bottlenecks, accountability drifts, and so does velocity of shipping code.

“All of a sudden your whole house project is delayed multiple months, because some OH&S person has to come in and triage it, call some other person in another part of the world…” Adds Rao.

Yet Rao is neither advocating silos nor blurring all roles into one. His vision is a shift from entrenched, binary thinking as in ‘I’m security, I’m a developer’ toward mutual accountability.

“The quality of the code just doesn’t mean how functional it is. It’s also how secure it is, how reliable it is” he says.

Accountability should not be confused with territoriality, and when developers understand the context of the systems they’re building, remediation becomes proactive, not reactive. Software bill of materials more commonly known as (SBOMs) are not a compliance tick box, but as an exercise of fidelity into the code.

This allows further drill down into what’s in the package, what code is running, who owns what software? This kind of traceability might be the only ‘source of truth’ managing an emerging exploit long after the original author has left.

For boards, this isn’t a binary debate between code quality and policy – it’s a money problem.

“Why does it take me so many people to produce this output? Why is my time to release getting worse, not better?” asks Rao, voicing the new breed of directors less impressed by technical jargon, more focused on ROI.

“It’s a change management issue rather than lack of knowledge” asserts Rao.

The work that needs to get done often stalls not because the answers aren’t known, but because the will to disrupt legacy process is missing.

The key component is speaking the same language and verbiage, from security engineers to heads of marketing.

Rao went on to say, “When you have visibility and a single source of truth, it becomes easier for people to understand.”

That’s not just a technology problem, it’s a leadership requirement. Rao predicts the next wave will be even more challenging when confronted with compliance, privacy, governance, coupled up with the AI revolution.

“It’s a lot more than just security. If you’re starting to use machine learning and AI, there’s privacy, there’s governance…”

The future is about context. Not every vulnerability is a catastrophe, not every boardroom question is about ‘going faster’. Success will belong to those willing to make the invisible visible and to contextualise what this really means.

“The pressure is going to come. We need to move faster, we need to move at lower cost, we need to be more effective, do more with less. Those questions are going to keep coming.” Concluded Rao.