Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/12/2021
09:00 AM
Dark Reading
Dark Reading
Sponsored Article
50%
50%

Cyber Resilience and the Speed of Change

Digital evolution has driven security to the forefront of business leaders' priorities. Understanding how to provide security at the speed of change and build a cyber-resilient organization will drive competitive advantage.

As we look at the current digitally enabled business landscape, we see the impact of forced rapid organizational changes that had been delayed for quite some time — changes that centered on how our employees were going to be able to continue to perform their work duties, no matter where they were. How businesses would accelerate their shift to cloud-enabled capabilities all while security teams were doing the best they could keeping up with the speed of change to secure their respective organizations.

There have been many lessons learned in a short time frame, but these are perhaps the most notable:  

  • The critical need to adapt as quickly as possible to support members of our workforce and ensure they were able to securely access the systems, applications, and data they needed to without interruption.
  • The ability to succeed in the face of adverse events while unlocking opportunities that enable the business to thrive.

Many organizations found ways to thrive as they drove through rapid changes all while evolving overall operations. Pause for a moment and realize just how impressive that has been, given all of the adversity we have had to endure.

Digging deeper into the key lessons learned, we began to realize that it has become critically important for us to shift our approach from strictly security to one that is focused on making our organizations cyber resilient. As businesses swiftly move forward with the continued adoption and evolution of DevOps, shifting to cloud environments and overall digital transformation efforts, security has consistently been left behind. Although not explicitly attributed to some of these initiatives, the frequency of high-profile security incidents have occurred and will continue to do so. This digital evolution has driven security to the forefront of business leaders' priorities.

In the "2021 Global Risks Report," released by the World Economic Forum, "cybersecurity failure" has risen to the No. 4 global risk in terms of most relevant and probable over the short-term (zero to two years). Only societal risks (such as infectious disease) and environmental risks (such as extreme weather events) are of higher concern. Take a minute to consider that and ask yourself: Have I taken the right approach to help ensure we are doing the right things to help reduce that risk for our business?

Just as security's role within organizations had begun to make strides in improving through awareness as well as earlier involvement in projects, the sheer number of initiatives and speed of delivery has continued to scale at a pace that has made it extremely difficult to keep up. Unfortunately, if security teams don't figure out how to embed security at the speed of change, they'll be left behind. The business will continue to deliver innovative new solutions to market, while providing better digital experiences to customers, partners, and employees.

Investments in transformation efforts can be meaningless if they cannot properly secure the business, its customers, or other critical assets.We must shift to a cyber-resilient model, one that aligns with business outcomes while supporting the level of risk the organization is willing take on. One of the main changes comes in the form of culture and mindset for security teams. We can no longer simply say we are aligning to the business needs; we must engage the business-line owners and collaborate with them to identify what is most important to them and what success equates to for their respective business area. The conversation must enable a true partnership that ensures ongoing alignment and delivers the best possible outcomes. This shift is one that centers on how security can move at the speed of change to secure what matters most to the business.

By understanding these areas of importance, we can focus our attention on how to prioritize where to best place our protection and detection mechanisms, while applying capabilities to minimize the impact when a security incident occurs. It is of the utmost importance for us to finally realize that we cannot continue to take an approach that attempts to apply the same level of security across all assets. No matter the amount of money and resources we put in place attempting to prevent cyber incidents, they will continue to happen. The cyber-resilience aspect here is to have a solid foundation in knowing your specific organization's business operational needs and aligning your program in a manner that emphasizes your approach to secure those critical business assets (applications, data, and digital identities). 

From the business perspective, being able to provide security at the speed of change is required to drive seamless delivery of innovative solutions that allow for competitive differentiation and faster consumer adoption. Think of it this way: How long did it take for development and operations teams to change their approach from waterfall to agile to DevOps? Those organizations that are still either using a waterfall approach or slowly shifting to modern methodologies have seen their competitors pass them by. A couple of simple ways to initiate the process include:

  • Build true collaborative partnerships with the business now, leveraging a model that goes beyond simply security and instead focuses on being cyber resilient.
  • Institute a culture of collaboration by encouraging the security team to engage with the business line owners to understand fully what is most important and what success looks like.

Unfortunately, we won't be able to protect everything to the same level, but if we don't embed security into new innovative capabilities the business is looking to implement, then security will continue to play catch-up. Therefore, let's ensure we invest in the areas that are of highest priority to keep the business moving forward when something happens. This approach will allow for security to keep up with the speed of change.

About the Author

Rob Aragao is Chief Security Strategist for the Americas within the Enterprise Security business unit of Micro Focus. In this role, Mr. Aragao is responsible for working with organizations collaboratively to drive strategic initiatives around cybersecurity and alignment with business objectives and desired outcomes. He also provides thought leadership and insight regarding the ever-changing global threat landscape.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21441
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
CVE-2020-9493
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...