IT Focus Area: Security
August 17, 2015
Innovating Your Security Mindset
Security breaches are inevitable. Companies should shift from aging mindsets and predictable tools to comprehensive prevention, detection and response capabilities in order to neutralize potential damage.
In this three-part series, we’re exploring today’s IT security issues from different perspectives:
1. Core infrastructure security and threat and vulnerability management
2. Data protection and identity and access management
3. Security program governance and application security
Part Three: Innovating Your Security Mindset
In part two of this series, we talked about the role data protection and identity and access management controls play in protecting data, and how you can work to secure each door into the fragmented IT environment. Now, in part three, we’ll focus on security program governance and application security strategy, and the role they play in replacing the legacy security mindset.
With all of the data breaches making headlines over the past few years, most organizations have come to realize that cyber security is a persistent risk, and a breach can spell disaster. As the frequency of data breaches continues to climb, it has become clear that IT security programs are lacking, and critical information security process, technology, and staffing needs are not being met. Many of the challenges in the security industry boil down to a mindset problem.
Chart a New Course
Too many of us are clinging to old mindsets, like using compliance as a guide to security. This leads IT teams to focus on checking boxes rather than thinking about security strategy; as soon as they achieve compliance, they stop thinking about security and move on. But just as passing a health inspection doesn’t mean a restaurant will serve good food, compliance does not equal security. It’s a minimum requirement, and is not enough to protect against the tactics being used by hackers today. Target, Home Depot and others were compliant at the time they were breached.
Instead of following a list of requirements, or trying to “build taller castle walls and dig deeper moats,” we need to address the scope and components of a comprehensive approach to security, and establish repeatable, measurable programs that focus on what’s mission-critical to the business. Tools are not the problem; as the more than 500 exhibitors at this year’s RSA conference demonstrated, we've got a great ecosystem of tools at our disposal. Technologies exist to provide true visibility, comprehensive threat intelligence and systems that help manage risk. We just need to broaden our view and take into consideration what each of the tools is seeing, and put some integration around them to get an accurate view from the endpoint to the cloud, so we can proactively respond to threats.
It’s important to take a step back and assess your current security state, and develop a truly actionable roadmap to an optimized state that’s based on your business objectives. Professional services like program assessments, threat assessments and incident response planning can help you set critical policies and take a more strategic, scalable approach to security.
Secure Your Software Development Life Cycle (SDLC)
And don’t forget security when developing applications. Applications and data—not the infrastructure—are the main focus of most cyber attacks, and yet many organizations haven’t formalized a secure software development program. Too much time is being spent reacting to security issues in completed applications instead of fixing problems before they are deployed. Assigning a security professional to your application development team is a best practice that ensures that software is secure from the ground up. Without this integrated approach, securing your SDLC may be viewed as optional in your organization.
Every phase of your SDLC should stress security no matter what your development methodology, organizational culture, types of applications or risk profile. Not only is this a precaution against attacks, it helps to ensure compliance with internal policies and external regulatory requirements.
Professional services like penetration testing, threat modeling, application architecture assessments, static code reviews and other services designed to integrate security into the SDLC can reduce web and mobile threats, and ensure your applications are tested for security as much as they are for functionality.
Prioritize What Matters Most
We need to evolve, change, and become more agile. By shoring up our programs and shifting away from the tools and tactics of the past, we can take a cohesive approach to security that focuses on what is mission critical to the business, and employ strategies and solutions that actually map to the threat environment we’re facing today.