Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Zane Lackey
Zane Lackey
Connect Directly
E-Mail vvv

Keeping Your Organization Secure When Dealing With the Unexpected

There's no way to anticipate every possible scenario, but the right approach to business continuity can help you respond effectively in any situation.

Unforeseen circumstances can cause your security risk profile to shift in unexpected ways — and the consequences can be serious. In a world where change can happen suddenly, security teams can play a crucial role in helping their organizations stay protected no matter what happens.

There's no way to anticipate and prepare for every possible scenario, but the right approach to business continuity can help you respond effectively in any situation. The key is to focus on agility and sustainability. Here are a few guiding principles that can help. 

Related Content:

Agility Broke AppSec. Now It's Going to Fix It.

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Welcome to the New Workplace

Now More Than Ever, Focus on Culture
Security has been traditionally viewed as a function that aimed simply to reduce risk. Since change introduces risk, security teams were often seen as the "department of no" and considered to be a necessary impediment to velocity. But the changes last year caused by the unprecedented and rapid shift to doing everything online challenged that premise, and many security best practices gave way in favor of speed.

Now it's time to take a pause and look at how security teams can shift the cultural mindset of being a blocker to an enabler and find ways to say "yes" to urgently needed projects and changing priorities. This doesn't mean throwing standards and best practices out the window. Rather, security teams should focus not just on flagging problems but also on helping the business address them and move forward.

At the same time, instead of relying solely on a large, centralized security team — a model ill-suited for fully distributed environments — organizations should embed security skills within product and development teams. Security champions in these groups can be empowered to operate independently, using a deeper understanding of business context and development processes to help solve problems more quickly and creatively.

Perhaps most importantly, executive leadership must send a clear message that security matters. A great example of this mindset in action was Zoom, where a sudden rapid adoption beyond its traditional enterprise base unexpectedly exposed significant security issues such as "Zoombombing." In response, the company enacted a 90-day freeze on shipping new features while it focused on closing these gaps. To have taken this step just as the company was seeing unprecedented demand for its product is remarkable.

Most organizations won't need to take such a drastic measure, but effective security leaders make sure their executive team keeps security top-of-mind across the business. 

Provide Tools Across the Organization That People Like to Use
The digital era is built on the idea of agility: being able to respond quickly to new situations. In ordinary times, that might mean an emerging market opportunity, a rising competitive threat, or an exciting new innovation. Today, the idea also applies in times of crisis. Technology isn't just a nice-to-have in modern life; it's woven through everything from the way we work and play to the systems that provide our healthcare, food, education, utilities, and other essentials. As digital transformation continues to deepen these interconnections, it's essential for the security infrastructure to keep pace to provide a sound foundation so that we're protected from risk.

Even during "routine" digital transformation, the transition to cloud and DevOps proved incompatible with legacy security approaches based on complex tools in the hands of siloed experts. The scale and speed of innovation demand a more agile approach, leading modern security teams to adopt security tools that can be used by people without security expertise on decentralized application and DevOps teams. Given the visibility to see for themselves when something goes wrong, these teams can better protect their own apps without depending on specialized skills or services. That's especially valuable when in-person communication is problematic.

Plan for Crisis Because It Will Happen
Business continuity planning is a cornerstone of risk reduction for the enterprise as a whole; security teams should take the same approach within their own organization. How will you ensure continuous security during various types of disruptions? Are there applications where you would expect to see higher demand? Will people be working from different locations via different access points? Will the business need to roll out new capabilities for employees or customers?

One of the hallmark technology challenges during the COVID-19 crisis is the sudden need for previously internal resources such as human resources applications and IT issue-tracking tools to be externally reachable as employees shift to remote work. This need is obvious in hindsight, but it took many chief information security officers (CISOs) by surprise. It's not the kind of thing that occurs to you in the course of day-to-day work — but when the unexpected happens, you're forced to think it through in real time.

If you haven't already seen changes like these in your organization, take a moment to consider how you would deal with them. Plan your response to this and similar scenarios and figure out what tools you'll need to enable the shift.

As the COVID-19 crisis made all too painfully clear, the best response to the unexpected begins long before it arises. By embedding security throughout your culture, empowering teams to make it part of their work, and anticipating the implications of potential disruptions, you can move with greater agility as the need arises and make security more sustainable for the long term. 

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...