Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/19/2021
01:00 PM
John Worrall
John Worrall
Commentary
50%
50%

The Most Pressing Concerns Facing CISOs Today

Building security into the software development life cycle creates more visibility, but CISOs still need stay on top of any serious threats on the horizon, even if they are largely unknown.

With software being one of the most valuable assets in business today and DevOps in the driver's seat for software pipelines, CISOs are facing an array of challenges regarding their organizational security and integrity. The role and overall visibility of CISOs have continued to evolve because corporate security isn't just nice to have anymore — it's an integral part of the business, an imperative. This reality now puts CISOs in the unenviable position of quickly understanding and communicating how much risk their business is willing to accept, and getting teams to act accordingly.

Related Content:

How to Protect Your Organization's Digital Footprint

How Data Breaches Affect the Enterprise

New From The Edge: How the Shady Zero-Day Sales Game Is Evolving

Cultural Divisions = More Risk
As the appetite for software accelerates, and the sophistication of application security advances, everyone inside a company needs to be on the same page about their risk posture and how it affects ongoing security efforts. We already know this isn't happening. While DevOps has revolutionized software development in terms of speed, capability, and agility, developers and security teams simply don't share a common vision or unified goal on how to get software to market quickly and securely. Recent Ponemon research found developers see security as a bottleneck to innovation and speed, while security practitioners believe developers continue to prioritize delivery times over quality.

The technology is there, but cultural (and human) problems are slowing down the process. CISOs are challenged with figuring out a way to tailor security programs to customer needs and business goals by aligning business and security strategies. We already know that integrating security testing earlier in the software development life cycle (SDLC) can help mitigate risk, and it also makes developers much more productive. CISOs can help bridge the cultural divide by accomplishing their risk management objectives while simultaneously helping their development partners be more successful. 

Digital Transformation Needs Scalability and Continuity
With digital transformation accelerating development cycles, security can't be considered a barrier to speed. Remember, cars have brakes so they can go fast! We need to ensure software can develop quickly too, protected by application security and not hindered by it. Unfortunately, a lot of security processes continue to be manual today. Testing tools deliver enormous data, all of which needs to be correlated and prioritized. These tasks take time, and CISOs are often dealing with more data than they have people to analyze it. To ensure their existing security governance frameworks, including tools, processes, and policies, can keep up, CISOs will need to continue building the bridge across the divide by empowering their development teams with the right resources and support.

To properly scale security, organizations need to decrease manual processes by embracing SDLC automation and continuous scanning. This results in faster remediation and better overall application security. Orchestration is important too. With proper orchestration, vulnerabilities are prioritized and refined for remediation. CISOs are key in creating this component of the "bridge" because processes like automation and orchestration can save developers time by consolidating units of work and converting findings into a language they understand.

The Present and Beyond
Building security into the SDLC helps create more visibility, but CISOs still need to stay on top of any serious threats on the horizon, even if they are largely unknown. The fallout from the pandemic remains to be seen, but it has already had a major impact on both security and development. The move to telework and use of even more cloud-based applications has significantly diminished the security of software applications. According to the same Ponemon research noted earlier, both security practitioners and developers lack confidence that teleworkers are complying with security and privacy requirements. In fact, only a third of both groups believe their organizations are effectively stopping or curtailing security compromises or exploits in software applications.

As the future continues to roll out unexpected turns, CISOs must maintain a close working relationship with the DevOps team and continue to seamlessly integrate security into the SDLC. Security becomes an afterthought or a periodic manual, nonrepeatable process if there isn't a collaborative relationship between teams.

This won't happen overnight, as it requires a significant cultural shift. Developers must buy into the notion that quality software hinges on built-in security at every phase of development, and see security as a necessity. When this happens, CISOs can feel more confident in answering the questions "am I secure?" and "is this application that I've brought to market secure?" because everyone has the same goals, is on the same page, and can quickly adapt to threats not yet known.

John Worrall has more than 25 years of leadership, strategy, and operational experience across early stage and established cybersecurity brands. In his current role as CEO at ZeroNorth, he leads the company's efforts to help customers bolster security across the software life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...