As you are no doubt aware, 2018 was yet another banner year for cybercrime. IBM Security Vice President Caleb Barlow recently reflected on the historic data breaches, widespread vulnerabilities and unprecedented onslaught of data privacy regulations affecting businesses across geographies. In such a fast-paced industry where technology — not to mention the threat landscape — is evolving daily, security culture is now a key determinant of success.

In my own experience, security teams are more likely to succeed when they’re viewed as an integral part of the business. Mature organizations recognize the direct connection between trust, user experience and revenue and place the chief information security officer (CISO) or chief security officer (CSO) on equal footing with other C-level executives.

Don’t Put the Chief Security Officer at the Kids Table

If you’re wondering why it matters who the CSO reports to, picture this: You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be a lot more fun, the conversations that take place there will surely be very different than at the main table.

The same dynamic exists in organizations that do not consider the CSO to be integral to the company’s success. If security is involved in senior leadership activities on an invite-only basis, the organization is only inviting trouble down the road. Security needs to be a part of the larger, mature conversations that take place around the health and state of the business. For instance, what happens when a vulnerability scan turns up high-risk flaws? Are there processes in place to ensure good communication? Who decides who is responsible for the fix? Who validates it? Is the report seen as crucial to ensure overall quality for a release, or is it considered a nuisance, a necessary evil?

Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture and threat landscape, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.

Everyone Plays a Role in Security

In today’s software world, where there is growing, extensive use of devices, microservices, components, containers and open-source tools, the potential for things to go wrong is increasing proportionally. For this reason, every department and executive throughout the organization needs to play a role in securing enterprise data.

One of the main problems is that people don’t really know what they have in their environment. If you walk into a development shop and ask five people how many applications their organization supports, you’ll likely get five different answers. And just see what happens if you ask for a full inventory of the services, libraries and components associated with those applications. Any information developers do have is often inconsistent across different departments. For instance, I’ve seen situations where IT had one list, security had another, and the two were never consolidated or cross-referenced. The impact of such a disconnect can be devastating.

What if your organization is using a lot of open-source components and a critical vulnerability emerges for one of them? If your enterprise is reliant on a central IT team but you have inconsistent departmental software inventories, how can you really be sure you’ve identified all the affected systems? And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, the patch management process is a mix of automated efforts for some systems and an honor system for others. When this happens, inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.

Today, the critical systems that might be left exposed could be sitting in the pockets of your employees — I’m talking about the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are the devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the often blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? Do you rely solely on your employees to secure their own devices?

The industry has moved beyond simply enforcing password policies. Today, nontechnical employees must play a critical role in security strategy and act as the first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then, take the necessary steps to enforce them. The policy you implement and enforce today just might prevent a breach tomorrow.

Security Culture Delivers Real Business Value

Security culture is becoming a sort of currency for organizations. Studies such as IBM Security’s “Future of Identity Report” have shown that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be part of the initial design and conception.

For that to happen, security needs to be ingrained in organizational culture, perceived as critical to the company’s success, and inclusive of all departments and employees across the enterprise. Organizations that do this well will be better positioned to build trust among their user base and provide the exceptional user experience that customers demand.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…