Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Zane Lackey
Zane Lackey
Connect Directly
E-Mail vvv

Keeping Your Organization Secure When Dealing With the Unexpected

There's no way to anticipate every possible scenario, but the right approach to business continuity can help you respond effectively in any situation.

Unforeseen circumstances can cause your security risk profile to shift in unexpected ways — and the consequences can be serious. In a world where change can happen suddenly, security teams can play a crucial role in helping their organizations stay protected no matter what happens.

There's no way to anticipate and prepare for every possible scenario, but the right approach to business continuity can help you respond effectively in any situation. The key is to focus on agility and sustainability. Here are a few guiding principles that can help. 

Related Content:

Agility Broke AppSec. Now It's Going to Fix It.

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Welcome to the New Workplace

Now More Than Ever, Focus on Culture
Security has been traditionally viewed as a function that aimed simply to reduce risk. Since change introduces risk, security teams were often seen as the "department of no" and considered to be a necessary impediment to velocity. But the changes last year caused by the unprecedented and rapid shift to doing everything online challenged that premise, and many security best practices gave way in favor of speed.

Now it's time to take a pause and look at how security teams can shift the cultural mindset of being a blocker to an enabler and find ways to say "yes" to urgently needed projects and changing priorities. This doesn't mean throwing standards and best practices out the window. Rather, security teams should focus not just on flagging problems but also on helping the business address them and move forward.

At the same time, instead of relying solely on a large, centralized security team — a model ill-suited for fully distributed environments — organizations should embed security skills within product and development teams. Security champions in these groups can be empowered to operate independently, using a deeper understanding of business context and development processes to help solve problems more quickly and creatively.

Perhaps most importantly, executive leadership must send a clear message that security matters. A great example of this mindset in action was Zoom, where a sudden rapid adoption beyond its traditional enterprise base unexpectedly exposed significant security issues such as "Zoombombing." In response, the company enacted a 90-day freeze on shipping new features while it focused on closing these gaps. To have taken this step just as the company was seeing unprecedented demand for its product is remarkable.

Most organizations won't need to take such a drastic measure, but effective security leaders make sure their executive team keeps security top-of-mind across the business. 

Provide Tools Across the Organization That People Like to Use
The digital era is built on the idea of agility: being able to respond quickly to new situations. In ordinary times, that might mean an emerging market opportunity, a rising competitive threat, or an exciting new innovation. Today, the idea also applies in times of crisis. Technology isn't just a nice-to-have in modern life; it's woven through everything from the way we work and play to the systems that provide our healthcare, food, education, utilities, and other essentials. As digital transformation continues to deepen these interconnections, it's essential for the security infrastructure to keep pace to provide a sound foundation so that we're protected from risk.

Even during "routine" digital transformation, the transition to cloud and DevOps proved incompatible with legacy security approaches based on complex tools in the hands of siloed experts. The scale and speed of innovation demand a more agile approach, leading modern security teams to adopt security tools that can be used by people without security expertise on decentralized application and DevOps teams. Given the visibility to see for themselves when something goes wrong, these teams can better protect their own apps without depending on specialized skills or services. That's especially valuable when in-person communication is problematic.

Plan for Crisis Because It Will Happen
Business continuity planning is a cornerstone of risk reduction for the enterprise as a whole; security teams should take the same approach within their own organization. How will you ensure continuous security during various types of disruptions? Are there applications where you would expect to see higher demand? Will people be working from different locations via different access points? Will the business need to roll out new capabilities for employees or customers?

One of the hallmark technology challenges during the COVID-19 crisis is the sudden need for previously internal resources such as human resources applications and IT issue-tracking tools to be externally reachable as employees shift to remote work. This need is obvious in hindsight, but it took many chief information security officers (CISOs) by surprise. It's not the kind of thing that occurs to you in the course of day-to-day work — but when the unexpected happens, you're forced to think it through in real time.

If you haven't already seen changes like these in your organization, take a moment to consider how you would deal with them. Plan your response to this and similar scenarios and figure out what tools you'll need to enable the shift.

As the COVID-19 crisis made all too painfully clear, the best response to the unexpected begins long before it arises. By embedding security throughout your culture, empowering teams to make it part of their work, and anticipating the implications of potential disruptions, you can move with greater agility as the need arises and make security more sustainable for the long term. 

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-02
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
PUBLISHED: 2023-02-01
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
PUBLISHED: 2023-02-01
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metas...
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.