Cybersecurity: a tough reality
Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to stakeholders: customers, users, and decision-makers in the company. When all goes well, the investment in security is not really justified. When there are an attack and disaster hits, it is too late to think about fixing problems and so, the blame-game begins.
Usually, companies that have been targeted by attacks mainly focus on putting out fires, that is to recover business operations and patch the obvious holes.
Not only is security a negative asset, but is also a preventive one.
The majority of the value of the investment made in security only shows up after the security defenses catch a major attack or when companies pass a tough business audit because of proper measures. In general, the task of the Chief Information Security Officer (CISO) or another security leader for that matter is quite difficult, because they need to prepare for the inevitable without any substantial evidence to justify the budget.
That being said, it is not surprising to see many argue that security in general is a dismal industry that is not providing any stellar value to consumers, and yet demands a lot of resources.
And yet, security is a must.
In the early days of any industry, security isn’t usually a part of a product. When cars were first introduced, the emphasis was on functionality. Yet, a few years after the first car hit the market, the first car was stolen and security became an issue.
As a response, the first car alarm was invented. Similarly, the Internet was not designed with security in mind as it was initially a closeted and trusted research network for researchers.
As with any technology, once the major features are built and adoption is wide-spread, safety, reliability, and security assume the status of bigger issues.
The problem here is that security is often looked at as an afterthought, that solves point in time problems.
When technology evolves, security solutions need to be replaced. Many argue that security should stop being a bolt-on solution and should be part of the product design and development from the very beginning.
Why cybersecurity is important for business
Here’s the ‘vicious’ cycle of cybersecurity:
It is very important that all participants in software product design work together to break this cycle. Software developers need to build systems that are secure by design (especially in web application security, and secure coding).
It is imperative we see that cybersecurity teams can deliver great value to the business if they are treated as internal consultants and value centers rather than a cost center. The major problem is that developers and product managers need cybersecurity to be seamlessly integrated with product development.
- First, cybersecurity teams can and should be present during the design stage of any product. Product and developer teams should consider cybersecurity as a feature. It starts with threat modeling and continues with secure architecture design. Having security integrated in the development process can significantly reduce debugging time as developers start to think more rigorously about their code.
- Second, security teams need to design security guardrails for the current development process for developers. This typically means having internal tools and processes to keep the developers from committing obvious mistakes and letting them harden software by default. One example of this is how Repokid implements least privileged access by removing unused access permissions automatically.
- Security can actually increase sales and business results. The report “Cyber Security, The New Source of Competitive Advantage for Retailers” by Capgemini showed an increase in consumer confidence for companies that implemented (and communicated) proper cybersecurity measures. For developer teams, it is often a business need to deliver a secure product that will stand the subsequent pentests.
- Security teams must be looked at to flag the cybersecurity skills gap within the organization and facilitate a solid learning culture by setting up access to security code reviews, hold security workshops and training for developers, and more importantly, motivate security contributions by all developer teams within the organization.
Make security requirements a feature
The fundamental building block of secure product design is to make security a feature requirement: apply security by design, make security guardrails for the software delivery processes, and finally to build a security-aware developer culture.
Reading Time: 9 minutes Banking information, login credentials, insurance numbers. A few of the data stored by many financial institutions. We asked an expert about the best practices to protect these information.
Reading Time: 9 minutes Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.
Reading Time: 7 minutes Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.
Reading Time: 7 minutes Telecommunications is everywhere. Hence, this area is more exposed to external threats than others. It is crucial to ensure a strong line of defense in this industry, so your entire organization has up-to-date protection and is aware of best practices.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Ivan Wallarm. Here is what we know.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 8 minutes Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access.
Reading Time: 8 minutes Compliance standards are a valuable but mostly misunderstood part of the corporate culture. Like any other certificate, a compliance certificate demonstrates that the entity/business operates according to a commonly accepted standard and signals trust towards third parties. A successful compliance certificate eases regulatory processes, opens new markets, and in general speeds up revenue generation, which is the key metric for businesses.
Chasing the application security rainbow – Do we run after software bugs instead of finding root causes?
Reading Time: 10 minutes Application security is one of the cornerstones of cybersecurity, and it is critical to defend a successful business operation. To strengthen cybersecurity defenses, businesses have to apply rigorous testing and remediate the issues that were found.