%20(3).png)
IT infrastructure is growing more complex and threat actors are moving faster, but security and compliance aren’t keeping pace. Assurance processes remain too manual, too slow to adapt, and too resource-intensive. As a result, compliance becomes a box-checking exercise, and true security suffers. It all results in an environment where adversaries have the upper hand, and compliance is widely recognized as a pain and a distraction inside teams.
We need a new approach that enables government agencies and enterprise businesses to build secure by design infrastructure.
To usher in that shift, Sicura launched Security Control Management (SCM). This new category describes software solutions that provide continuous hardening, across every infrastructure deployment. SCM embraces automation of compliance processes, integration with agile workflows, and flexibility to deploy across on-prem and hybrid environments.
SCM is being launched into a complex and dynamic environment. To help illuminate the many contours behind the challenges and chart a course for where solutions are heading next, a panel of industry luminaries recently gathered at InfoSec World 2025. Titled, “Secure by Design, Not by Chance: The Rise of Security Control Management,” the panel explored the evolution of infrastructure, threats, and processes inside businesses. Panelists included:
- Marene Allison, former CISO, Johnson & Johnson
- Maj. Gen. Ryan Heritage (ret.), former Director of Operations, US Cyber Command
- Lisa Umberger, Co-Founder and CEO, Sicura; former NSA
Here’s a look at how panelists described the SCM landscape:
Infrastructure is growing increasingly complex
Infrastructure is often described as one category of technology. But inside government and enterprises, the reality is that there are many infrastructures. They vary by function, geography, and each have different standards that are required to obtain compliance. And despite the rise of the cloud, most organizations still deploy a mix of on-prem, cloud, and hybrid systems.
“Inside any major multinational corporations, it’s incredibly complex. IT wasn’t built in a day,” said Marene Allison, former CISO, Johnson & Johnson. In fact, it is a patchwork resulting from years of decisions, teardowns, upgrades, and adjustments based on changes in technology, changes to the business, and, in the case of security, changes to the threat environment and compliance standards. For a security team, that means plenty of potential challenges lurk.
“As my security architect and I described it when we first got to Johnson & Johnson, we had this big barrel of fish,” Allison said. “No matter what we stick our hand in and pull out, we are going to have a mess. So we had to clean it up. We started by bringing in secure by design principles and security requirements, and then bringing it up to the next level, which is true security.”
It’s a good reminder that systems are unlikely to be secure when a team first encounters them. Whether it is a new product out of the box or a new team bringing a system into the fold following a merger or acquisition, teams shouldn’t assume systems are secure by default. Additional security and compliance steps are almost always needed to make systems secure, and keep them secure over time. As complexity increases, the number of systems and security upgrades only increases. That compounds the challenge of keeping pace.
Adversaries are Moving Faster
Over a decorated career in the military, Ryan Heritage saw significant acceleration in the threat environment.
"When I was at the Marine Corps component to US Cyber Command, I used to tell the VIPs and key leaders who would visit that I can see things changing every six to nine months. You can come back and you can see our operational tempo has more than doubled," Heritage said.
“By the time I left as a director of operations at US Cyber Command, I can tell you the threat environment was changing daily.”
In this landscape, the adversary has the upper hand. After all, they have the license to take bigger risks and they only have to succeed once. Defenders, meanwhile, must be strategic and protect every surface.
To gain the advantage, it is not only necessary to keep pace with threat actors, but to move faster. A key question, Heritage said, is how systems adapt. Implementing security and obtaining compliance once every few years isn’t enough. Only a continuous process can push ahead rapidly.
The Biggest Insider Threat: An IT person in a hurry
While external threat actors that move with malice are a major point of concern, Allison said it was a more benign threat from inside a company that often presented an even greater point of anxiety.
“Most of the insiders I was worried about were the IT people,” Allison said. “The person who can provide the most access into your network without you knowing it is an IT person in a hurry that has to move data around or connect networks. Because as soon as that's done, they've created a hole that they may never close until somebody who's hacked you lets you know it's closed.”
Too often, security and compliance are separate processes from the development lifecycle. That makes them an afterthought. The real-world consequences are not only that systems deploy without security controls in place. It means that patches don’t get applied and misconfigurations don’t get corrected. That leaves room for vulnerabilities to take root.
Compliance at the Speed and Scale of National Security
Inside government agencies, security and compliance are mission-critical. Those that protect and defend our nation are frequently targeted in attacks, so systems must be secured to exacting standards. Yet it is widely agreed that compliance in the defense and intelligence community is an extremely cumbersome process that has no clear roadmap.
Heritage offered one such example from his time serving in the Marine Corps.
“The authority to operate and the authority to connect did not reside within the same organization or the same people. Authority to connect, usually rested with me as the operator, while the authority to operate rested with a higher headquarters,” Heritage said.
This is just one example from the U.S. Department of War, which is an organization of massive scale. There is a constant need to move faster, and improve communication. The entire structure can benefit not only from policy changes, but also automation.
“Imagine what a network will look like in the Department of War in a time of conflict with another nation state,” Heritage said. “There will be constant changes and new requirements. Speed will be critical.”
Toward a Secure by Design World
While the challenges are significant, the good news is that there has already been significant work down to shift the paradigm toward a solution.
The Cybersecurity and Infrastructure Security Agency (CISA) introduced Secure by Design to create a world where security is prioritized in every product and every deployment.
“What if there was a world where security was built-in, not bolted on afterwards?” Allison said.
It may sound futuristic, but Allison offered a reminder that significant progress has already been made. When teams from J&J used to check into a hotel, they needed a manual just to get all of the right passwords and VPNs up and running. Today, all of that extra paperwork is not necessary because more security controls are in place.
Today, a new and transformative era of change must begin. Security Control Management solutions offer a roadmap to build secure by design infrastructure. Eventually, security and compliance will be features, and you might not even need to know they are there.
.png)
