Human beings are poor judges of risk. For example, we perceive the risk of air travel to be higher than it actually is after a fatal aviation-related accident happens.
We also tend to dismiss risks just because we don’t see a tangible negative impact right away. This is, for example, what prevents many from making dental hygiene a priority: we all know dental hygiene is critical to our health and a relatively easy “investment”, but when nothing bad happens immediately after skipping teeth brushing once, many stop being regular about it.
“It is hard or impossible to predict just how many times of skipping a good brushing it takes to get you in trouble with tooth pain, so we tend to take on more risk until we end up getting toothache and regret not investing enough on proactive maintenance,” Ehsan Foroughi, Vice President of Products at Security Compass, told Help Net Security.
“For security, in many cases it starts with skipping it and taking risky shortcuts when the product is not yet widely adopted or the company is small and young. But as it grows and the risk grows, we tend to overlook that until something bad ends up happening.”
Obstacles to surmount on the path to better security
Another thing that makes companies brush aside security is competition.
“Software is becoming the core of every industry’s competitive advantage and there is a lot of pressure from the market and competition to release new software or improvements to existing software faster and at a lower cost (so that a limited investment can yield more results),” he noted.
“Proper security hygiene, when done in the traditional way, gets in the way of agility and creates the dilemma: should we take on risk to move fast in the business, or should we slow down and do the right thing? Unfortunately, human nature pushes many to choose the fast and risky approach which leaves them with a ticking time-bomb of a security incident waiting to happen.”
Barriers to pragmatic security decisions
Other roadblocks to sensible security decision-making include:
- Engineers not being well versed in security understanding and practices, as well as having a hard time communicating complex issues to business stakeholders
- Executives and decision-makers at the business level lacking education and awareness around the topic, most specifically around the foundations of software security
- Security teams being perceived as the only owner of the organization’s security.
What can CISOs do to make things better?
Like quality, security should be everybody’s job and responsibility, not just the QA/security team’s.
One of CISOs’ goals should be to improve security culture across the organization, by raising awareness, educating, consulting, promoting and providing processes and tools.
“When it comes to education, many think of hard skills such as security testing and coding skills. However, educating staff on how security affects the bigger business, how it can reduce revenue if not done right, and how it can affect them directly, is critical,” Foroughi noted.
He also advises CISOs not to wait for disaster. “The worst time to fix things is when an audit fails. Also, it costs a lot more to wrestle with malware clean ups and deal with ransomware than to enforce policies to protect data – so shift left and invest in proactive measures.”
But, at the same time, they should take care not to go overboard: enforcing extreme policies without regards for the value of assets being protected or the impact to productivity and usability often results in people bypassing the policies, and that would be even more harmful.
Preparing for the future
Foroughi expects the compliance and technology landscapes to get more complex and demanding.
When it comes to introducing new technologies and the need for employees to have the skills to wrangle it, he advises organizations not to focus on a specific skill set when hiring, but to look for foundational understanding in individuals.
“If you have the right people on board and the culture enables them to take initiative, they will bring the latest technology into the organization and will have the capability to quickly learn and adapt to deal with new problems,” he explained.
The problem of balancing security vs. time to market will also get harder to address, he says.
First and foremost, CISOs should be pragmatic and focus on getting 80% secure and 80% fast instead of choosing one over another.
They should also know that they will have an easier time to get buy-in from the rest of the organization if they learn how decisions in CISO’s domain affects the larger business and how to present proposals for future investment using that perspective.
In general, CISOs have to educate executives on how security and risk management affects business goals and on the importance of finding the balance.
“Invest in automating the balanced approach to development and prioritize this investment,” he concluded. “When asking the developers to cooperate with you to roll out this automation, start by explaining why you are doing this – you will face much less resistance.”