An ideal world would have unicorns. By contrast, the world in which we live has…let’s just say “donkeys.”
How does this play out in cyber security?
Security fatigue is a problem. We’re bombarded with dire warnings and doomsday headlines, to the point where we just don’t care anymore. Imagining a perfect world can help us make positive changes that, over time, improve the state of the real world.
Organizations are waking up to the fact that security is important, but change is slow. An organization that has suffered some kind of cyber security breach or embarrassment is likely to create a security group, usually as part of product development or sometimes information technology.
At first glance, this seems like a good solution: The organization is devoting resources to security, and the group is responsible for keeping the rest of the organization safe. Unfortunately, this approach alone has serious problems that mean it is destined to end in tears and failure:
In the unicorn world, support for a real software security initiative (SSI) comes from the highest levels of management. Top-level support was crucial to the success of Microsoft’s security initiatives, which began in 2002 and continue to this day.
With this top-level support, a chief information security officer (CISO) joins the executive team to take charge of IT security, product security, and incident response.
While the CISO will have a security team, everyone needs to understand that the security team does not keep the organization safe but instead spreads the word. Organizational risk decreases only when a culture of security pervades every part of the organization.
Key to this is education, including general cyber security awareness, operational security awareness, and training that helps developers introduce fewer vulnerabilities as they write code. This is not a one-time effort; education needs to be ongoing, current, and engaging.
In IT security, the CISO’s team can help create and implement policies for everything from authentication to procurement.
In product security, the goal of the CISO’s team is to help product teams adopt a proper secure development life cycle (SDLC), one that accounts for security at every phase. This can be supplemented by more testing and better testing, which allows more vulnerabilities to be located and eliminated before product release.
When things go wrong (and things always go wrong), having a plan is important. Defining policies for incident response helps your organization minimize damage and respond quickly to security events.
Where do we go from here? No matter where you are in your security journey, you can always move forward and reduce your risk a little more.
If you’re completely new, get started by taking stock of your current security policies, procedures, tools, and teams. If you’re just starting on product security, work on implementing a proper SDLC, then introduce source code analysis and software supply chain tools into your build chain. If you’re already managing your supply chain, and kicking butt with your source analysis, add fuzzing and interactive testing.
If you’ve already got all that going on—there is always a next level. Make sure your tools are automated and integrated into your development, and make sure that violations of your security policy can break the build. Ratchet your policies to set the bar higher.
Security is more of a mindset than a destination. The goal of any security group is to help lift the entire organization into a positive, proactive, security-first attitude and to work security into every aspect of product development and operations. Ultimately, this holistic, comprehensive approach to security is the most effective way to lower organizational risk.