Security breaches are constantly in the headlines, and in turn, on your board members’ minds. Cybercriminals are no longer fringe. Instead, they are forming an organized, growing industry. High-profile breaches at big-name and respected institutions and organizations are becoming more and more commonplace.
The success of a security organization is not predicated on its actions alone. Security is critical for the business; and yet the priorities for the business don’t always align with the priorities for security.
Underfunding is a common concern for chief information security officers (CISOs). They are struggling to secure executive-level buy-in for their programs—even though high-profile data breaches underline the importance of allocating resources to security. CISOs admit they have difficulty making a business case for more resources to their organization’s finance department.
Cost of a Data Breach
Lessons need to be learned from the recent onslaught of massive online security breaches. Whether it’s breaches such as Marriott International facing a potential $100+ million fine for failing to protect customer data after a hack in 2018, or British Airways facing a record $230 million fine after a website failure compromised the personal details of roughly half a million users, it is essential to ensure security and compliance by implementing cybersecurity practices to make data breaches preventable. A proactive approach to integrating cybersecurity practices into the business strategy can protect against data loss and leakage and threats to data privacy — and empower organizations with the ability to respond to threats quickly and accurately.
As organizations depend on software applications to grow their business, it is essential to secure the applications to detect and block threats before they become an attack. By taking a systematic, risk-based approach to evaluating and addressing cybersecurity vulnerabilities earlier in the software development life cycle (SDLC), organizations can immensely improve their security posture.
Minding the Communications Gap
For a security organization to be effective, it must align its priorities with those of the organization as a whole. CISOs often may have a vision of building security into the SDLC, but far too often, security is seen instead as a deterrent and the final box to be checked before release. When fixing or remediating a vulnerability can delay the release of an important application, pressure is on the security organization to make the right call. If the staff can’t make a compelling business case to back up its decision and show the value of fixing vulnerabilities up front, the funding it needs to participate earlier in the SDLC may not be forthcoming.
To communicate effectively, security teams need to help the other decision-makers understand exactly what is at stake. This means they must understand the business purpose and impact of the application, get the resources to fix vulnerabilities earlier, and focus on the right applications at the right time.
Quantifying Risk to Drive Security Decisions
Issues around security and risk need to be distilled in a way that allows all involved to have a business-oriented conversation. This risk-based approach has two phases:
- Phase 1 – Discovery Phase, where you take inventory and monitor web assets in production for vulnerabilities
- Phase 2 – Business Impact, where you define and understand the potential loss magnitude in order to prioritize activities
The first phase of this risk-based approach involves taking inventory and monitoring web applications in production for vulnerabilities. Taking inventory is essential, because it’s the applications you don’t know about and the development systems left open that can really hurt you.
Once a complete inventory of web assets is achieved and ongoing vulnerability monitoring is in place, we can move to phase two by beginning to incorporate the business impact into strategic planning. Defining and understanding the potential loss allows much more finely grained prioritization of activities.
In order to focus on the areas of highest risk, we must understand the business function of the applications we’re trying to protect.
Aligning Security with Business Goals
Implementing SaaS-based application scanning throughout the SDLC helps organizations continuously measure risk in production. When combined with with prioritization assessment, organizations will be able to deliver a better and overall more accurate picture of your risk profile.
Security is not the responsibility of the security organization alone. An effective security program requires close cooperation among all business units.
Knowing your risk can help align security, operational, and funding decisions across stakeholders by providing a common language for determining and discussing risk. These discussions lead to alignment and mutually agreed-upon decisions, which serve as the foundation for a security program that successfully meets the needs of the business as a whole.