theDocumentId => 1341218 Keeping Your Organization Secure When Dealing With ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/16/2021
01:00 PM
Zane Lackey
Zane Lackey
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Keeping Your Organization Secure When Dealing With the Unexpected

There's no way to anticipate every possible scenario, but the right approach to business continuity can help you respond effectively in any situation.

Unforeseen circumstances can cause your security risk profile to shift in unexpected ways — and the consequences can be serious. In a world where change can happen suddenly, security teams can play a crucial role in helping their organizations stay protected no matter what happens.

There's no way to anticipate and prepare for every possible scenario, but the right approach to business continuity can help you respond effectively in any situation. The key is to focus on agility and sustainability. Here are a few guiding principles that can help. 

Related Content:

Agility Broke AppSec. Now It's Going to Fix It.

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Welcome to the New Workplace

Now More Than Ever, Focus on Culture
Security has been traditionally viewed as a function that aimed simply to reduce risk. Since change introduces risk, security teams were often seen as the "department of no" and considered to be a necessary impediment to velocity. But the changes last year caused by the unprecedented and rapid shift to doing everything online challenged that premise, and many security best practices gave way in favor of speed.

Now it's time to take a pause and look at how security teams can shift the cultural mindset of being a blocker to an enabler and find ways to say "yes" to urgently needed projects and changing priorities. This doesn't mean throwing standards and best practices out the window. Rather, security teams should focus not just on flagging problems but also on helping the business address them and move forward.

At the same time, instead of relying solely on a large, centralized security team — a model ill-suited for fully distributed environments — organizations should embed security skills within product and development teams. Security champions in these groups can be empowered to operate independently, using a deeper understanding of business context and development processes to help solve problems more quickly and creatively.

Perhaps most importantly, executive leadership must send a clear message that security matters. A great example of this mindset in action was Zoom, where a sudden rapid adoption beyond its traditional enterprise base unexpectedly exposed significant security issues such as "Zoombombing." In response, the company enacted a 90-day freeze on shipping new features while it focused on closing these gaps. To have taken this step just as the company was seeing unprecedented demand for its product is remarkable.

Most organizations won't need to take such a drastic measure, but effective security leaders make sure their executive team keeps security top-of-mind across the business. 

Provide Tools Across the Organization That People Like to Use
The digital era is built on the idea of agility: being able to respond quickly to new situations. In ordinary times, that might mean an emerging market opportunity, a rising competitive threat, or an exciting new innovation. Today, the idea also applies in times of crisis. Technology isn't just a nice-to-have in modern life; it's woven through everything from the way we work and play to the systems that provide our healthcare, food, education, utilities, and other essentials. As digital transformation continues to deepen these interconnections, it's essential for the security infrastructure to keep pace to provide a sound foundation so that we're protected from risk.

Even during "routine" digital transformation, the transition to cloud and DevOps proved incompatible with legacy security approaches based on complex tools in the hands of siloed experts. The scale and speed of innovation demand a more agile approach, leading modern security teams to adopt security tools that can be used by people without security expertise on decentralized application and DevOps teams. Given the visibility to see for themselves when something goes wrong, these teams can better protect their own apps without depending on specialized skills or services. That's especially valuable when in-person communication is problematic.

Plan for Crisis Because It Will Happen
Business continuity planning is a cornerstone of risk reduction for the enterprise as a whole; security teams should take the same approach within their own organization. How will you ensure continuous security during various types of disruptions? Are there applications where you would expect to see higher demand? Will people be working from different locations via different access points? Will the business need to roll out new capabilities for employees or customers?

One of the hallmark technology challenges during the COVID-19 crisis is the sudden need for previously internal resources such as human resources applications and IT issue-tracking tools to be externally reachable as employees shift to remote work. This need is obvious in hindsight, but it took many chief information security officers (CISOs) by surprise. It's not the kind of thing that occurs to you in the course of day-to-day work — but when the unexpected happens, you're forced to think it through in real time.

If you haven't already seen changes like these in your organization, take a moment to consider how you would deal with them. Plan your response to this and similar scenarios and figure out what tools you'll need to enable the shift.

As the COVID-19 crisis made all too painfully clear, the best response to the unexpected begins long before it arises. By embedding security throughout your culture, empowering teams to make it part of their work, and anticipating the implications of potential disruptions, you can move with greater agility as the need arises and make security more sustainable for the long term. 

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3663
PUBLISHED: 2021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2021-23413
PUBLISHED: 2021-07-25
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...