As you are no doubt aware, 2018 was yet another banner year for cybercrime. IBM Security Vice President Caleb Barlow recently reflected on the historic data breaches, widespread vulnerabilities and unprecedented onslaught of data privacy regulations affecting businesses across geographies. In such a fast-paced industry where technology — not to mention the threat landscape — is evolving daily, security culture is now a key determinant of success.
In my own experience, security teams are more likely to succeed when they’re viewed as an integral part of the business. Mature organizations recognize the direct connection between trust, user experience and revenue and place the chief information security officer (CISO) or chief security officer (CSO) on equal footing with other C-level executives.
Don’t Put the Chief Security Officer at the Kids Table
If you’re wondering why it matters who the CSO reports to, picture this: You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be a lot more fun, the conversations that take place there will surely be very different than at the main table.
The same dynamic exists in organizations that do not consider the CSO to be integral to the company’s success. If security is involved in senior leadership activities on an invite-only basis, the organization is only inviting trouble down the road. Security needs to be a part of the larger, mature conversations that take place around the health and state of the business. For instance, what happens when a vulnerability scan turns up high-risk flaws? Are there processes in place to ensure good communication? Who decides who is responsible for the fix? Who validates it? Is the report seen as crucial to ensure overall quality for a release, or is it considered a nuisance, a necessary evil?
Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture and threat landscape, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.
Everyone Plays a Role in Security
In today’s software world, where there is growing, extensive use of devices, microservices, components, containers and open-source tools, the potential for things to go wrong is increasing proportionally. For this reason, every department and executive throughout the organization needs to play a role in securing enterprise data.
One of the main problems is that people don’t really know what they have in their environment. If you walk into a development shop and ask five people how many applications their organization supports, you’ll likely get five different answers. And just see what happens if you ask for a full inventory of the services, libraries and components associated with those applications. Any information developers do have is often inconsistent across different departments. For instance, I’ve seen situations where IT had one list, security had another, and the two were never consolidated or cross-referenced. The impact of such a disconnect can be devastating.
What if your organization is using a lot of open-source components and a critical vulnerability emerges for one of them? If your enterprise is reliant on a central IT team but you have inconsistent departmental software inventories, how can you really be sure you’ve identified all the affected systems? And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, the patch management process is a mix of automated efforts for some systems and an honor system for others. When this happens, inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.
Today, the critical systems that might be left exposed could be sitting in the pockets of your employees — I’m talking about the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are the devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the often blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? Do you rely solely on your employees to secure their own devices?
The industry has moved beyond simply enforcing password policies. Today, nontechnical employees must play a critical role in security strategy and act as the first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then, take the necessary steps to enforce them. The policy you implement and enforce today just might prevent a breach tomorrow.
Security Culture Delivers Real Business Value
Security culture is becoming a sort of currency for organizations. Studies such as IBM Security’s “Future of Identity Report” have shown that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be part of the initial design and conception.
For that to happen, security needs to be ingrained in organizational culture, perceived as critical to the company’s success, and inclusive of all departments and employees across the enterprise. Organizations that do this well will be better positioned to build trust among their user base and provide the exceptional user experience that customers demand.
Worldwide Application Security Evangelist