Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
John Worrall
John Worrall

The Most Pressing Concerns Facing CISOs Today

Building security into the software development life cycle creates more visibility, but CISOs still need stay on top of any serious threats on the horizon, even if they are largely unknown.

With software being one of the most valuable assets in business today and DevOps in the driver's seat for software pipelines, CISOs are facing an array of challenges regarding their organizational security and integrity. The role and overall visibility of CISOs have continued to evolve because corporate security isn't just nice to have anymore — it's an integral part of the business, an imperative. This reality now puts CISOs in the unenviable position of quickly understanding and communicating how much risk their business is willing to accept, and getting teams to act accordingly.

Related Content:

How to Protect Your Organization's Digital Footprint

How Data Breaches Affect the Enterprise

New From The Edge: How the Shady Zero-Day Sales Game Is Evolving

Cultural Divisions = More Risk
As the appetite for software accelerates, and the sophistication of application security advances, everyone inside a company needs to be on the same page about their risk posture and how it affects ongoing security efforts. We already know this isn't happening. While DevOps has revolutionized software development in terms of speed, capability, and agility, developers and security teams simply don't share a common vision or unified goal on how to get software to market quickly and securely. Recent Ponemon research found developers see security as a bottleneck to innovation and speed, while security practitioners believe developers continue to prioritize delivery times over quality.

The technology is there, but cultural (and human) problems are slowing down the process. CISOs are challenged with figuring out a way to tailor security programs to customer needs and business goals by aligning business and security strategies. We already know that integrating security testing earlier in the software development life cycle (SDLC) can help mitigate risk, and it also makes developers much more productive. CISOs can help bridge the cultural divide by accomplishing their risk management objectives while simultaneously helping their development partners be more successful. 

Digital Transformation Needs Scalability and Continuity
With digital transformation accelerating development cycles, security can't be considered a barrier to speed. Remember, cars have brakes so they can go fast! We need to ensure software can develop quickly too, protected by application security and not hindered by it. Unfortunately, a lot of security processes continue to be manual today. Testing tools deliver enormous data, all of which needs to be correlated and prioritized. These tasks take time, and CISOs are often dealing with more data than they have people to analyze it. To ensure their existing security governance frameworks, including tools, processes, and policies, can keep up, CISOs will need to continue building the bridge across the divide by empowering their development teams with the right resources and support.

To properly scale security, organizations need to decrease manual processes by embracing SDLC automation and continuous scanning. This results in faster remediation and better overall application security. Orchestration is important too. With proper orchestration, vulnerabilities are prioritized and refined for remediation. CISOs are key in creating this component of the "bridge" because processes like automation and orchestration can save developers time by consolidating units of work and converting findings into a language they understand.

The Present and Beyond
Building security into the SDLC helps create more visibility, but CISOs still need to stay on top of any serious threats on the horizon, even if they are largely unknown. The fallout from the pandemic remains to be seen, but it has already had a major impact on both security and development. The move to telework and use of even more cloud-based applications has significantly diminished the security of software applications. According to the same Ponemon research noted earlier, both security practitioners and developers lack confidence that teleworkers are complying with security and privacy requirements. In fact, only a third of both groups believe their organizations are effectively stopping or curtailing security compromises or exploits in software applications.

As the future continues to roll out unexpected turns, CISOs must maintain a close working relationship with the DevOps team and continue to seamlessly integrate security into the SDLC. Security becomes an afterthought or a periodic manual, nonrepeatable process if there isn't a collaborative relationship between teams.

This won't happen overnight, as it requires a significant cultural shift. Developers must buy into the notion that quality software hinges on built-in security at every phase of development, and see security as a necessity. When this happens, CISOs can feel more confident in answering the questions "am I secure?" and "is this application that I've brought to market secure?" because everyone has the same goals, is on the same page, and can quickly adapt to threats not yet known.

John Worrall has more than 25 years of leadership, strategy, and operational experience across early stage and established cybersecurity brands. In his current role as CEO at ZeroNorth, he leads the company's efforts to help customers bolster security across the software life ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...