With the constantly transforming cyber landscape, intruders are always finding new ways to exploit weaknesses in organizations’ systems and applications. As a result, cyber-related incidents have become one of the top risks to businesses as they attempt to understand their cyber resilience and exposure to threats.

The role of security assurance, therefore, becomes crucial in helping organizations undertake effective cyber risk management, adhere to regulatory and legal compliance requirements, and protect against costly security breaches. Many organizations are already recognizing this shift: According to research conducted by MarketsandMarkets, the global security assurance market is expected to grow to $5.48 billion by 2023.

The security assurance function aims to provide organizations with confidence and trust in the effectiveness of their security controls through various means, such as evidence-based risk assessments, control gap analyses and security tests to help identify the risks posed to the organization. However, the ever-increasing number of security breaches and some organizations’ inability to show adherence to basic security hygiene reflect an inadequacy in our current security assurance models.

Challenges With Contemporary Security Assurance Models

Our current approaches are reactive — evidence suggests that organizations respond to most security threats after they have happened. A proactive security assurance model is a key enabler for delivering an effective operating model that encompasses the protection of people, processes and technology. One of the main obstacles to achieving robust digital security is inflexible organizational processes that hinder a proactive defense strategy.

Our models also have a short shelf life, as the threat landscape is always evolving. Internal and external audits evaluate the effectiveness of controls against threats based on risk trends and themes at the time of the exercise. Assurance models become obsolete if they are not continually monitored, assessed and updated.

Lastly, current models are static. With the explosion of cloud adoption and tactile internet on the horizon, more businesses are seeking opportunities through enabling digital technology. Agile methodologies are speeding up the delivery of digital transformation. Contemporary assurance models are failing to adapt to this iterative-incremental development and deployment paradigm.

Factors of a Successful Security Assurance Function

Think collaboration. For a security assurance function to be successful, organizations need to break down silos and enable more collaboration between key stakeholders.

First, identify, classify and prioritize business-critical assets that could have severe impacts on business strategy if exploited or accessed. Next, you’ll want to centralize controls. Organizations should manage strategic enterprise security controls centrally to have better visibility into the operational effectiveness of those controls.

Finally, maintain up-to-date security policies, standards and compliance requirements. Understand how policies, processes, standards and compliance affect the desired state of controls. These must be driven by business objectives and your organization’s specific risk appetite.

Building a Proactive and Dynamic Security Assurance Model

To adapt to modern-day challenges, it’s important that organizations reinvent and tune their security assurance operating models for speed and agility. An effective assurance model needs to find the right balance between a proactive and reactive approach in order to build a more secure organization and retain stakeholder trust. Begin with the following steps:

  • Affiliate your security assurance strategy to business objectives to improve the organization’s security posture.
  • Align your security assurance operating model with risk management and governance efforts to attain operational efficiency.
  • Define your organization’s maturity road map for controls based on your risk appetite.
  • Perform evidence-based assessments to generate trust. Evidence collection should focus on key control objectives.
  • Integrate assurance into development iterations to assist with agile delivery. Align assurance processes to promote DevSecOps culture and address any security concerns at the development stage.
  • Ensure security is embedded from inception. Secure by design principles are fabricated into the product delivery process. For agile development, this means ensuring security initiatives are included in sprint goals.

Companies should also conduct smarter and more balanced assurance activities to aid frequent assessments. Security assurance should be conducted in a pragmatic and proportionate way to prevent cyberattacks and breaches. This includes the following:

  • Rationalize multiple cybersecurity frameworks into control objectives and prioritize objectives based on the threats to the organization to provide a more focused assessment.
  • Develop a security controls catalog/checklist based on security profiles or assets. Implement a response assessment approach based on the risk appetite of your organization.
  • Utilize automation tools to support in conducting security assessments where possible, such as third-party cybersecurity risk and privacy impact assessments.
  • Leverage automated testing (for both in-house source code and third-party code assessments) as part of continuous integration/continuous delivery (CI/CD) pipelines to support agile development.
  • Automate evidence collection by performing scenario-based security testing that is based on the MITRE ATT&CK framework. Testing should be done on key security controls to continually assess control effectiveness and provide an extra level of confidence. Ask yourself: “Does the point-in-time, evidence-based assessment withstand the real test?”

In summary, a winning digital security assurance model must help accelerate continual, evidence-based security assessments, manage cybersecurity risk effectively, prove compliance with ever-changing regulatory requirements and empower the organization to gain confidence in their security posture.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today