As you are no doubt aware, 2018 was yet another banner year for cybercrime. IBM Security Vice President Caleb Barlow recently reflected on the historic data breaches, widespread vulnerabilities and unprecedented onslaught of data privacy regulations affecting businesses across geographies. In such a fast-paced industry where technology — not to mention the threat landscape — is evolving daily, security culture is now a key determinant of success.

In my own experience, security teams are more likely to succeed when they’re viewed as an integral part of the business. Mature organizations recognize the direct connection between trust, user experience and revenue and place the chief information security officer (CISO) or chief security officer (CSO) on equal footing with other C-level executives.

Don’t Put the Chief Security Officer at the Kids Table

If you’re wondering why it matters who the CSO reports to, picture this: You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be a lot more fun, the conversations that take place there will surely be very different than at the main table.

The same dynamic exists in organizations that do not consider the CSO to be integral to the company’s success. If security is involved in senior leadership activities on an invite-only basis, the organization is only inviting trouble down the road. Security needs to be a part of the larger, mature conversations that take place around the health and state of the business. For instance, what happens when a vulnerability scan turns up high-risk flaws? Are there processes in place to ensure good communication? Who decides who is responsible for the fix? Who validates it? Is the report seen as crucial to ensure overall quality for a release, or is it considered a nuisance, a necessary evil?

Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture and threat landscape, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.

Everyone Plays a Role in Security

In today’s software world, where there is growing, extensive use of devices, microservices, components, containers and open-source tools, the potential for things to go wrong is increasing proportionally. For this reason, every department and executive throughout the organization needs to play a role in securing enterprise data.

One of the main problems is that people don’t really know what they have in their environment. If you walk into a development shop and ask five people how many applications their organization supports, you’ll likely get five different answers. And just see what happens if you ask for a full inventory of the services, libraries and components associated with those applications. Any information developers do have is often inconsistent across different departments. For instance, I’ve seen situations where IT had one list, security had another, and the two were never consolidated or cross-referenced. The impact of such a disconnect can be devastating.

What if your organization is using a lot of open-source components and a critical vulnerability emerges for one of them? If your enterprise is reliant on a central IT team but you have inconsistent departmental software inventories, how can you really be sure you’ve identified all the affected systems? And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, the patch management process is a mix of automated efforts for some systems and an honor system for others. When this happens, inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.

Today, the critical systems that might be left exposed could be sitting in the pockets of your employees — I’m talking about the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are the devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the often blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? Do you rely solely on your employees to secure their own devices?

The industry has moved beyond simply enforcing password policies. Today, nontechnical employees must play a critical role in security strategy and act as the first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then, take the necessary steps to enforce them. The policy you implement and enforce today just might prevent a breach tomorrow.

Security Culture Delivers Real Business Value

Security culture is becoming a sort of currency for organizations. Studies such as IBM Security’s “Future of Identity Report” have shown that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be part of the initial design and conception.

For that to happen, security needs to be ingrained in organizational culture, perceived as critical to the company’s success, and inclusive of all departments and employees across the enterprise. Organizations that do this well will be better positioned to build trust among their user base and provide the exceptional user experience that customers demand.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…