Business and IT executives and employees need to consider privacy and security as part of their daily routine.
Small businesses and enterprises need to drive “security first” best practices that effectively make it a prime directive like the “cloud first” directive. Enterprises no longer exist in a world wherein a corporation contains its proprietary and confidential assets within the confines of its four-walled data centers and colocation sites. The modern world is comprised of a new, more expansive and invasive, cloud-enabled reality impacting and interwoven with every phase of software development and operations.
Up until now, many business units and IT groups have ignored the business implications of security gaps and operated in a “business as usual” mode. However, customer lawsuits and legislative scrutiny is changing that at a rapid pace. IT organizations must begin to clean up their acts immediately or otherwise face significant detrimental, perhaps irrecoverable, impacts to revenue, profitability, reputation, and legal standing. Cultural changes, executive buy-in, and acceptance of security accountability by developers and others along, across, and up the software development lifecycle (SDLC) chain will be necessary. Issues related to progressive infrastructure adoptions, including cloud, hybrid-cloud, SaaS, and Edge frameworks, necessitate that enterprise IT executives shepherd evolved development, security, and oversight methodologies to accommodate these evolutions.
Companies are exposed to increased security vulnerabilities throughout the entire software development life cycle from internal code, APIs, third party open-source code, from cloud providers and suppliers, and other business partners and vendors. IT can no longer hide its secrets – stories of malware and ransomware are front-page news almost daily and companies are being sued by their downstream customers for outages. The costs are estimated to be greater than $20 billion dollars per annum and are on the rise.
The Business View
A security first prime directive must start at the top. The Board of Director’s risk committee must feel and communicate to the lines of business that security is an existential threat. If that is not conveyed and commitments obtained, then it is highly likely that the initiative will not succeed. Everyone must feel responsible for security in order to get results. The metrics must be results based, not process based if the directive is to be effective. Additionally, security needs to be tied to annual compensation and part of the executives’ performance plan. It should not be considered a call to hunt for added funding.
One of the best ways to engage executives is to scare the hell out of them by showing the number of open vulnerabilities, tagged by severity, by operating system pipeline. The cultural environment must change, and this is one way to instill the desire to change. Executives need to examine the security risks in four ways: financial, legal, operational, and reputational (brand). Then, they need to consider process revisions that address all aspects of the security issues and create compensating controls.
Existential threat requires an entire enterprise approach:
- Create sense of urgency and strategy
- Leadership sets the tone
- BISO/CSO in Business Units for whole company approach
- Business Unit accountability
- Institute cyber into fabric of company
- Follow through – e.g., Deming wheel of plan-do-check-act (frequently missing and a major flaw)
- Development and phishing should be a shared understanding between the lines of business and IT
- Eliminate the developer/security gatekeeper adversarial relationship
- Know your baseline, risk exposure, and number of open vulnerabilities and applications that are impacted by them
IT and Development Actions
As a starting point, one needs to know the set of all IT assets – i.e., the inventory and who owns and is responsible for each asset and its risk rank. One of the biggest challenges with this was thought to be a legacy code problem, as many of these assets are undocumented or poorly documented and maintained – and the original developer is long gone.
It is not all about applications. Data, especially PII data, is everywhere and must be kept secure. One concept is data sparsity, which leads to data sprawl avoidance and reduces the data risk. GDPR and new mandates, which keep coming from regulatory agencies and governments around the world, are redefining what it means to protect data privacy and keep the data secure wherever it may be. To do this, security engineering practices must change.
People all along the IT development and operational chain must feel paranoid. It was suggested that enterprises utilize a centralized Security and Privacy By Design (SPBD) policy and implement SPBD processes in each of the development and operational units. That is, the policy is controlled centrally, while each of the different teams can implement it with different methodologies, regardless of the tool sets and languages being used.
Enterprises need to create common measures and incentives and commit to education on security for all. But it is not required for all development teams to use all the same tools. It will be necessary to automate the CI/CD processes and establish meaningful security controls. Initially, and possibly longer, it will be necessary to have an automation process that has exception processing allowances.
IT executives need to think about the entire process and measure the developers overall. Executives should score how well developers did on training courses as well as knowing what percentage went through training. It is also important to measure developers’ code quality improvement – not just the application individually. IT should measure rate of code fix and exposure level – how quickly bugs are closed out and the number of remaining open critical and high vulnerabilities. If possible, companies should do threat modeling by developer. If there is at least one good developer rock star, he/she should train others, especially the bad ones. They should be doing code reviews and paired coding exercises. The objective here is to shift security left.
Another approach is to create security champions in development (co-created with development and security) and the nine elements:
- Community challenge (not just individual)
- Champions should be viewed as evangelists with a career path
- Tools and training/upscaling
- Code scanning
- Rewrite standards – security and privacy by design [SPBD]
- Training mandates
- Hackathons – with competition among groups
- Incentives and gamification and recognition (leader boards)
- Team competition
An additional concept is the building of a factory model for third-party remediation for legacy applications. In many cases this will be offloaded to outsources. These offshore firms must be held accountable to their contract commitments if this is to be successful. This is also true of all shadow IT – especially assets on Internet and orphaned sites. All these components should be included as part of the enterprise’s asset inventory.
The Bottom Line
Most organizations are a long way from having security first as a prime directive. Enterprise and IT executives need to change the corporate culture and get all employees to consider privacy and security as part of their daily routine. Annual performance and code of conduct reviews will not make this happen. It will take a major ongoing commitment from the top before all levels of management and staff begin to incorporate security as part of their work ethic.
Most Boards of Directors and senior corporate executives do not treat security as a prime directive and are willing to compromise on security risks without fully understanding the extent to which the enterprise is exposed. IT executives should understand, evaluate, measure, translate, and communicate the risk exposures and get the resources needed to address the ones that are existential threats to the business. They should also adopt processes – from training to operations – that will continuously improve their privacy and security risk exposures and drive their teams to continuously improve their privacy and security track record.