Why a risk-based approach to application security can bolster your defenses
Like it or not, cybercrime is big business these days. A casual glance at the news at any given time will typically reveal several new breaches, usually involving eye-watering amounts of personal or sensitive information stolen. As such, any executive board worth its salt should have long realized the importance of robust cyber defenses.
Sadly, even in the face of mounting evidence, this isn’t always the case. Often business priorities are given precedence over security priorities, particularly when optimal security practices risk interfering with business efficiency or overall productivity. Underfunding is another common concern for many CSOs and CISOs, with the board simply not prepared to give them the budget and/or resources they truly need to keep the business safe.
Businesses need to think long term
Underfunding security in order to boost other areas of the business may seem like a good idea in the short term, but it’s a big risk that can come back to bite senior executives pretty spectacularly if they aren’t careful. For example, while an additional £500,000 towards new security resources may not seem viable during annual budgeting cycles, it pales in comparison to the millions of pounds worth of fines, legal costs and mitigation expenses many organizations are faced with in the aftermath of a breach.
Just ask British Airways, which has been hit with a record £183 million fine from the Information Commissioner’s Office (ICO), following what it described as a “sophisticated, malicious criminal attack” on its website, during which details of about 500,000 customers were harvested.
Examples like this highlight just how important it is to ensure long term security and compliance by implementing cybersecurity practices that prevent such data breaches from happening in the first place. A more proactive approach to integrating cybersecurity practices into the wider business strategy can go a long way towards protecting against data loss, as well as empowering security teams with the ability to respond much more swiftly and precisely to any threats that do present themselves.
With more and more organizations now relying on software applications to grow their business, properly securing these applications is becoming absolutely essential. A great way to do this is by adopting a systematic, risk-based approach to evaluating and addressing cybersecurity vulnerabilities earlier in the software development life cycle (SDLC), rather than trying to do it after the fact.
Business and security objectives must be aligned
The most effective security approaches are the ones that have been properly aligned with those of the wider organization. But all too often, the idea of building security into the SDLC is reconsidered the moment it’s deemed to be having a detrimental impact on development times or release windows.
When the time needed to remediate a vulnerability threatens to delay the release of an important application, pressure quickly starts building on the security team. If it can’t make a compelling business case to delay release in order to fix the issue, it can quickly find itself on the outside looking in.
The role of risk in effective security decision making
In situations like the one above, security teams need to be able to quickly make senior decision makers recognize the stakes involved and the potential consequences of not fixing the vulnerability. This requires both a solid understanding of the app’s intended business purpose and an ability to frame the argument in a way decision-makers will understand, rather than drowning them in security jargon. One of the best ways to do this is with a risk-based approach, which has two main stages.
Stage one involves taking a comprehensive inventory of all web applications currently in development and putting a stringent monitoring process in place to quickly identify vulnerabilities. It’s critical to be thorough during this stage because if just one application is missed, or one system left unsecured, it creates a new potential access point for cybercriminals.
With stage one completed then stage two can begin, which incorporates business impact into the strategic planning process. By properly defining the potential losses that could occur from a specific vulnerability and helping senior executives understand them in plain terms, not only does it help drive home the need for effective security, it allows for much finer tuning of activities based on the level of risk they present to the overall organization.
Taking a SaaS-based approach to application scanning
Adopting a SaaS-based approach to application scanning throughout the SDLC allows security teams to continuously assess risk during the production process, rather than just at a handful of milestones. As a result, when combined with proper prioritization of activities, a much more accurate risk profile can be created than would otherwise be possible, which all levels of the company can buy into.
When it comes to effective security, it’s important for security teams to speak a language the whole organization understands. Taking a risk-based approach does this, translating often complex vulnerabilities and analysis into terms that are meaningful to all, and particularly to the senior executives. Then proper discussions to take place, leading to mutual decisions that benefit the company as a whole and keep it protected from the plethora of cyber threats out there.