Security is more of a mindset than a destination. Organizations have to imbibe a positive, proactive, security-first holistic attitude.
An ideal world would have unicorns. By contrast, the world in which we live has … let’s just say “donkeys”.
How does this play out in cybersecurity? Security fatigue is a problem. We are bombarded with dire warnings and doomsday headlines, to the point where we just don’t care anymore. Imagining a perfect world can help us make positive changes that, over time, improve the state of the real world.
Change is slow
Organizations are waking up to the fact that security is important, but change is slow. An organization that has suffered some kind of cyber security breach or similar cyber-embarrassment is likely to create a security group, usually as part of product development or sometimes information technology.
At first glance, this seems like a good solution: The organization is devoting resources to security, and the group is responsible for keeping the rest of the organization safe. Unfortunately, this approach alone has serious problems that mean it is destined to end in tears and failure:
- “Keeping the rest of the organisation safe” is impossible to achieve. You are never 100% safe or secure. The best you can do is reduce risk.
- Security cannot be tacked onto the end of product development, or procurement, or anything else.
- A security group that is separate from the rest of the organization will always be perceived as costing money and providing aggravation in return.
- A security group that is formed without support from the top levels of management will not have the teeth it needs.
A fairy tale
In the unicorn world, support for a real software security initiative (SSI) comes from the highest levels of management. Top-level support was crucial to the success of Microsoft’s security initiatives, which began in 2002 and continue to this day.
With this top-level support, a chief information security officer (CISO) joins the executive team to take charge of IT security, product security, and incident response. While the CISO will have a security team, everyone needs to understand that the security team does not keep the organization safe but instead spreads the word.
Organizational risk decreases only when a culture of security pervades every part of the workplace. Key to this is education, including general cybersecurity awareness, operational security awareness, and training that helps developers introduce fewer vulnerabilities as they write code. This is not a one-time effort; education needs to be ongoing, current, and engaging.
In IT security, the CISO’s team can help create and implement policies for everything from authentication to procurement. In product security, the goal of the CISO’s team is to help product teams adopt a proper secure development life cycle (SDLC), one that accounts for security at every phase. This can be supplemented by more testing and better testing, which allows more vulnerabilities to be located and eliminated before product release.
When things go wrong (and things always go wrong), having a plan is important. Defining policies for incident response helps your organization minimize damage and respond quickly to security events.
Onward and upward
With this awareness of true security stewartship in mind, where do we go from here? No matter where you are in your security journey, you can always move forward and reduce your risk a little more.
If you are completely new, get started by taking stock of your current security policies, procedures, tools, and teams. If you’re just starting on product security, work on implementing a proper SDLC, then introduce source code analysis and software supply chain tools into your build chain. If you are already managing your supply chain and kicking butt with your source analysis, add fuzzing and interactive testing.
If you have already got all that going on—there is always a next level. Make sure your tools are automated and integrated into your development, and make sure that violations of your security policy can break the build. Ratchet your policies to set the bar higher.
Security is more of a mindset than a destination. The goal of any security group is to help lift the entire organization into a positive, proactive, security-first attitude to work security into every aspect of product development and operations. Ultimately, this holistic, comprehensive approach to security is the most effective way to lower organizational risk.