This is the last in a three-part series on IT security from Forsythe Technology. This post looks at governance and application security. Previous posts covered core infrastructure and threat and vulnerability management and data protection and identity and access management.
Innovating Your Security Mindset
In the previous post, I talked about the role data protection and identity and access management controls play in protecting data, and how you can work to secure each door into the fragmented IT environment. Now, I’ll focus on security program governance and application security strategy and the role they play in replacing the legacy security mindset.
With all of the data breaches making headlines over the past few years, most organizations have come to realize that cyber security is a persistent risk, and a breach can spell disaster for any business. As the frequency of data breaches continues to climb, it has become clear that IT security programs are lacking, and critical information security process, technology, and staffing needs are not being met.
In his keynote remarks, RSA president Amit Yoran kicked off this year’s conference by saying, "2014 was yet another reminder that we are losing this contest. The adversaries are out-maneuvering the industry ... and winning by every measure." He went on to point out that the pervasive challenges in the security industry boil down to a mindset problem.
Chart a New Course
Too many of us are clinging to old mindsets, like using compliance as a guide to security. This leads IT teams to focus on checking boxes rather than thinking about security strategy; as soon as they achieve compliance, they stop thinking about security and move on. But just as passing a health inspection doesn’t mean a restaurant will serve good food, compliance does not equal security. It’s a minimum requirement, and is not enough to protect against the tactics being used by hackers today. Target, Home Depot and others were compliant at the time they were breached.
Instead of following a list of requirements, or trying to “build taller castle walls and dig deeper moats” (Amit Yoran, RSA Keynote), we need to address the scope and components of a comprehensive approach to security, and establish repeatable, measurable programs that focus on what’s mission-critical to the business. Tools are not the problem; as the 500+ exhibitors at this year’s conference demonstrated, we've got a great ecosystem of tools at our disposal. Technologies exist to provide true visibility, comprehensive threat intelligence and systems that help manage risk. We just need to broaden our view and take into consideration what each of the tools is seeing, and put some integration around them to get comprehensive visibility from the endpoint to the cloud, so we can proactively respond to threats.
It’s important to take a step back and assess your current security state, and develop a truly actionable roadmap to an optimized state that’s based on your business objectives. Professional services like program assessments, threat assessments and incident response planning can help you set critical policies and take a more strategic, scalable approach to security.
Secure Your Software Development Life Cycle (SDLC)
And don’t forget security when developing applications. Applications and data—not the infrastructure—are the main focus of most cyber attacks, but many organizations haven’t formalized a secure software development program. Too much time is being spent reacting to security issues in completed applications instead of fixing problems before they are deployed. Assigning a security professional to your application development team is a best practice that ensures that software is secure from the ground up. Without this integrated approach, securing your SDLC may be viewed as optional in your organization.
Every phase of your SDLC should stress security no matter what your development methodology, organizational culture, types of applications or risk profile. Not only is this a precaution against attacks, it helps to ensure compliance with internal policies and external regulatory requirements.
Professional services like penetration testing, threat modeling, application architecture assessments, static code reviews and other services designed to integrate security into the SDLC can reduce web and mobile threats, and ensure your applications are tested for security as much as they are for functionality.
Prioritize What Matters Most
We need to evolve, change, and become more agile. By shoring up our programs and shifting away from the tools and tactics of the past, we can take a cohesive approach to security that focuses on what’s mission-critical to the business, and employ strategies and solutions that actually map to the threat environment we’re facing today.