Making IT Security First a Prime Directive for Your Business- Nine Elements
Business and IT executives and employees need to consider privacy and security as part of their daily routine.
Small businesses and enterprises need to drive “security first” best practices that effectively make it a prime directive like the “cloud first” directive. Enterprises no longer exist in a world wherein a corporation contains its proprietary and confidential assets within the confines of its four-walled data centers and colocation sites. The modern world is comprised of a new, more expansive and invasive, cloud-enabled reality impacting and interwoven with every phase of software development and operations. Up until now, many business units and IT groups have ignored the business implications of security gaps and operated in a “business as usual” mode. However, customer lawsuits and legislative scrutiny is changing that at a rapid pace. IT organizations must begin to clean up their acts immediately or otherwise face significant detrimental, perhaps irrecoverable, impacts to revenue, profitability, reputation, and legal standing. Cultural changes, executive buy-in, and acceptance of security accountability by developers and others along, across, and up the software development lifecycle (SDLC) chain will be necessary. Issues related to progressive infrastructure adoptions, including cloud, hybrid-cloud, SaaS, and Edge frameworks, necessitate that enterprise IT executives shepherd evolved development, security, and oversight methodologies to accommodate these evolutions. Companies are exposed to increased security vulnerabilities throughout the entire software development life cycle from internal code, APIs, third party open-source code, from cloud providers and suppliers, and other business partners and vendors. IT can no longer hide its secrets – stories of malware and ransomware are front-page news almost daily and companies are being sued by their downstream customers for outages. The costs are estimated to be greater than $20 billion dollars per annum and are on the rise. The Business View A security first prime directive must start at the top. The Board of Director’s risk committee must feel and communicate to the lines of business that security is an existential threat. If that is not conveyed and commitments obtained, then it is highly likely that the initiative will not succeed. Everyone must feel responsible for security in order to get results. The metrics must be results based, not process based if the directive is to be effective. Additionally, security needs to be tied to annual compensation and part of the executives’ performance plan. It should not be considered a call to hunt for added funding. One of the best ways to engage executives is to scare the hell out of them by showing the number of open vulnerabilities, tagged by severity, by operating system pipeline. The cultural environment must change, and this is one way to instill the desire to change. Executives need to examine the security risks in four ways: financial, legal, operational, and reputational (brand). Then, they need to consider process revisions that address all aspects of the security issues and create compensating controls. Existential threat requires an entire enterprise approach:- Create sense of urgency and strategy
- Leadership sets the tone
- BISO/CSO in Business Units for whole company approach
- Business Unit accountability
- Institute cyber into fabric of company
- Follow through – e.g., Deming wheel of plan-do-check-act (frequently missing and a major flaw)
- Development and phishing should be a shared understanding between the lines of business and IT
- Eliminate the developer/security gatekeeper adversarial relationship
- Know your baseline, risk exposure, and number of open vulnerabilities and applications that are impacted by them
- Community challenge (not just individual)
- Champions should be viewed as evangelists with a career path
- Tools and training/upscaling
- Code scanning
- Rewrite standards – security and privacy by design [SPBD]
- Training mandates
- Hackathons – with competition among groups
- Incentives and gamification and recognition (leader boards)
- Team competition