Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/16/2021
01:00 PM
Zane Lackey
Zane Lackey
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Keeping Your Organization Secure When Dealing With the Unexpected

There's no way to anticipate every possible scenario, but the right approach to business continuity can help you respond effectively in any situation.

Unforeseen circumstances can cause your security risk profile to shift in unexpected ways — and the consequences can be serious. In a world where change can happen suddenly, security teams can play a crucial role in helping their organizations stay protected no matter what happens.

There's no way to anticipate and prepare for every possible scenario, but the right approach to business continuity can help you respond effectively in any situation. The key is to focus on agility and sustainability. Here are a few guiding principles that can help. 

Related Content:

Agility Broke AppSec. Now It's Going to Fix It.

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Welcome to the New Workplace

Now More Than Ever, Focus on Culture
Security has been traditionally viewed as a function that aimed simply to reduce risk. Since change introduces risk, security teams were often seen as the "department of no" and considered to be a necessary impediment to velocity. But the changes last year caused by the unprecedented and rapid shift to doing everything online challenged that premise, and many security best practices gave way in favor of speed.

Now it's time to take a pause and look at how security teams can shift the cultural mindset of being a blocker to an enabler and find ways to say "yes" to urgently needed projects and changing priorities. This doesn't mean throwing standards and best practices out the window. Rather, security teams should focus not just on flagging problems but also on helping the business address them and move forward.

At the same time, instead of relying solely on a large, centralized security team — a model ill-suited for fully distributed environments — organizations should embed security skills within product and development teams. Security champions in these groups can be empowered to operate independently, using a deeper understanding of business context and development processes to help solve problems more quickly and creatively.

Perhaps most importantly, executive leadership must send a clear message that security matters. A great example of this mindset in action was Zoom, where a sudden rapid adoption beyond its traditional enterprise base unexpectedly exposed significant security issues such as "Zoombombing." In response, the company enacted a 90-day freeze on shipping new features while it focused on closing these gaps. To have taken this step just as the company was seeing unprecedented demand for its product is remarkable.

Most organizations won't need to take such a drastic measure, but effective security leaders make sure their executive team keeps security top-of-mind across the business. 

Provide Tools Across the Organization That People Like to Use
The digital era is built on the idea of agility: being able to respond quickly to new situations. In ordinary times, that might mean an emerging market opportunity, a rising competitive threat, or an exciting new innovation. Today, the idea also applies in times of crisis. Technology isn't just a nice-to-have in modern life; it's woven through everything from the way we work and play to the systems that provide our healthcare, food, education, utilities, and other essentials. As digital transformation continues to deepen these interconnections, it's essential for the security infrastructure to keep pace to provide a sound foundation so that we're protected from risk.

Even during "routine" digital transformation, the transition to cloud and DevOps proved incompatible with legacy security approaches based on complex tools in the hands of siloed experts. The scale and speed of innovation demand a more agile approach, leading modern security teams to adopt security tools that can be used by people without security expertise on decentralized application and DevOps teams. Given the visibility to see for themselves when something goes wrong, these teams can better protect their own apps without depending on specialized skills or services. That's especially valuable when in-person communication is problematic.

Plan for Crisis Because It Will Happen
Business continuity planning is a cornerstone of risk reduction for the enterprise as a whole; security teams should take the same approach within their own organization. How will you ensure continuous security during various types of disruptions? Are there applications where you would expect to see higher demand? Will people be working from different locations via different access points? Will the business need to roll out new capabilities for employees or customers?

One of the hallmark technology challenges during the COVID-19 crisis is the sudden need for previously internal resources such as human resources applications and IT issue-tracking tools to be externally reachable as employees shift to remote work. This need is obvious in hindsight, but it took many chief information security officers (CISOs) by surprise. It's not the kind of thing that occurs to you in the course of day-to-day work — but when the unexpected happens, you're forced to think it through in real time.

If you haven't already seen changes like these in your organization, take a moment to consider how you would deal with them. Plan your response to this and similar scenarios and figure out what tools you'll need to enable the shift.

As the COVID-19 crisis made all too painfully clear, the best response to the unexpected begins long before it arises. By embedding security throughout your culture, empowering teams to make it part of their work, and anticipating the implications of potential disruptions, you can move with greater agility as the need arises and make security more sustainable for the long term. 

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.