’Developers are the new kingmakers’, and according to a recent report there will be over one hundred billion new lines of code written this year. Not only will this introduce a massive new crop of vulnerabilities, but it will also increase the need for software delivery velocity.
At the same time, CIOs are struggling to keep pace with their current business functions, which can often leave them feeling “flat-footed” when it comes to being proactive about security. Take the recent massive Equifax data breach, which impacted 143 million people: this event demonstrated the need for CIO’s to implement a proactive security approach in order to avoid becoming the next victim.
As an Enterprise CIO and now CTO/Co-Founder of a SaaS startup, I’ve gained firsthand experience in tackling a number of these challenges. Here are some steps that I would recommend CIO’s take in order to adapt to today’s evolving threat landscape.
You Can’t Secure What You Don’t Know About
The first step towards improving the security posture and resiliency of a company is to take a baseline inventory of code repositories, build systems, and application deployments, both on-premises and cloud. Other things to document during this assessment include:
- What security tools are currently being used?
- How frequent is security testing being performed?
- How are vulnerabilities being prioritized and remediated?
- How often are risk assessments performed?
Once a CIO has all of this information documented, they can move onto the next step in assembling their strategic framework.
Prioritize, Prioritize, Prioritize
Every strategic plan needs to have some tactical components and in this case, the first one is to prioritize a company’s applications based upon prior risk assessments. The applications that access sensitive data such as PII, PHI, or are under PCI compliance should be addressed first.
Another factor to take into consideration is the level of exposure that the application has. Some may only be accessible by internal employees, which is not to say that they don’t have a risk level, but are most often lower in rank than publicly accessible applications. An important point to make here is that risk is not a static state, but instead is elastic, and the associated risk posture of an application could shift over time. This is why prioritization is not a “one and done” task, but rather a regular process aligned with the other components of the plan.
Communication Cadence
Proper security requires a level of awareness and arming IT and security teams with firm details around why a given product or platform is being used, will go a long way. Actionable metrics augment this communication and often help foster alignment toward the common goal of increased, continuous security. Over time, these efforts should help establish and increase overall security awareness, which ultimately increases the resiliency of the company’s crucial assets.
Continuous Security
Application and Infrastructure security, especially in today’s high velocity, cloud first world, is evolving and changing often many times per day. In the past, security testing was performed manually on a periodic basis (e.g. penetration test once per quarter). Given the increasing number of breaches, including the most recent massive Equifax incident, it is painfully obvious that something needs to change with respect to current attitudes and approaches to security.
In the past it was sufficient to have a “next-generation” firewall and an incident response team/security operations center. However, now it is crystal clear that hackers have the upper hand and they are continuously looking for vulnerabilities. In order to level the attack playing field, CIO’s should start implementing some offense tactics instead of purely defense.
Resiliency
No single security product or solution is going to protect an enterprise against hackers, which is which I am advocating for a more holistic approach. The metrics that I think about in this case are: IRD (Internal Rate of Detection) and IRR (Internal Rate or Remediation). What that means, in simple terms, is how quickly a company knows about vulnerability, and, more importantly, how quickly they can remediate the issue. The smaller the delta between the two actions, the more resilient a company will be.
While there is no “one size fits all” approach to security, CIO’s must continually adjust their strategy in order to improve. Risk as it relates to security, is an elastic asset, and it’s important to be more diligent about decreasing the level of that asset.