Business increasingly takes place online. According to the Centre for Retail Research, more than a quarter (26.5%) of retail activity took place online in the UK in 2022, with similar growth in countries like Germany (19.6%) and the US (18.8%). Businesses rely on their digital channels to serve customers more than ever, either directly through e-commerce sites or indirectly through providing information and customer support. This means that managing security for website infrastructure is critical to a growing proportion of businesses.
You cannot hold everything together alone, though. Multiple stakeholders across your organization share responsibilities as part of a website operations (WebOps) process. For example, you may rely on your website team to make updates and keep things secure. In WebOps, improving security involves understanding how people work and the psychology behind why decisions get made. Here are some areas you can focus on to improve your team’s approach and ensure that you support the business effectively.
Start With the Basics, But Don’t Judge
Like a trip to the doctor for an annual checkup, there are some security basics that apply to everyone. Just like your doctor may advise you to stop smoking or exercise more, your security strategy should include basics like patching vulnerabilities and controlling access to services and data.
At this point, you may already find some situations that frustrate you. Perhaps the website is on an outdated version of its content management system, or a plug-in is missing a critical update. Rather than charging in to demand why patches have not been installed, you should find out what the approach is and why updates have not been put in place yet. Start with a mindset of curiosity, and you can find the practical problems that hold up security fixes being deployed.
Understand the Business Impact
Out-of-date systems are problematic on their own. However, when security seems to have obvious gaps, there’s often another explanation lurking, usually tied to business value. Namely, there’s usually a conflict between the ‘obvious’ security improvement and getting other work done.
Understanding these situations takes more than purely technical knowledge. You’ll also need to understand how the business uses its websites – and measures success on those sites. Building this understanding can reveal why ‘obvious’ security-centric practices fail to occur. For example, there may be fear around patching because a past update halted operations while developers hunted for a root cause. A lost revenue incident can shake certainty around quickly applying updates for years.
Understanding how security practices interact with (or conflict with) core business needs will help you implement effective strategies that mitigate risks and (finally!) allow you and your team to meet both security and business goals. For example, a better staging/CI pipeline might provide the certainty to apply patches. Another project might need improvements to code review and merge workflows to clear the path to high-certainty, timely security responses.
Look at How Much You Are Really Helping
Carrying out updates should feel routine for both developers and security professionals at your organization. A uniform change management process that supports new features and security patches alike can help.
Other things matter, too: Is the path to proposing, testing and deploying changes always open when an urgent need arises? Even if the path is open, what is the minimum time from creating a branch until deploying to production?
Sometimes, investments can also be misplaced, causing your team to miss out on the expected value. For example, you might invest heavily in automating your testing process to make your developers more efficient. However, if your developers avoid the test system because it takes too long and generates too many false positives, you’ve largely wasted the investment. Rather than speeding up your team, you’ve wasted time and, worse, perhaps built false confidence based on the assumption that people are using what they created.
Instead of QA projects that often go stale, consider a lightweight process. For example, instead of implementing brittle functional tests that run in a system like Selenium, consider smoke tests and visual regression testing since these approaches require minimal maintenance and rarely produce difficult-to-analyze false positives.
For teams involved in WebOps, remember that security is there to support a constellation of business goals. It doesn’t exist in a vacuum; you’ll only find frustration and failure from pursuing security myopically.
Look at the tooling, processes and approaches that your team takes in the harsh, skeptical light of how those processes create measurable value and risk. By empathetically looking at why people make the decisions they make – including ones that, on the face, seem like bad practices – you can move past conflicts between security and other business goals and a path to delivering both.