Whether it’s getting a Petya or WannaCry ransom message today or logging into your bank account and seeing a zero balance tomorrow, organizations have to think about their critical infrastructure and institute proper hygiene measures. Cybersecurity, much like health and fitness, takes consistency and a repeatable but flexible approach to achieve sustainable, measurable gains. However, in both cases, people are often looking for a "quick fix" such as a simple pill that bypasses the need for self-control, dedication, and rigor. There is also, in both cases, a steady stream of products or features flooding the market on a regular basis, each with a slightly nuanced set of promises, gimmicks, and buzzwords.
Consequently, despite all of these promises and good intentions, our overall levels of physical fitness and cybersecurity resilience are on the rapid decline. In this article, I will discuss why organizations need to institute proper hygiene measures and take a continuous improvement approach to ensure that cybersecurity keeps pace with the inevitable threats of today's online world.
The definition of resilience is the ability to quickly recover from adverse events or circumstances. In today's hyper-connected, always-on digital business world, hackers are continuously launching automated attacks on critical infrastructure and applications looking for vulnerabilities. Conversely, enterprise security teams typically take a manual, periodic approach to vulnerability assessment and application security testing.
In this article, I’ll explain how organizations can take the necessary steps to keep their business in shape:
Step 1 – Establish a Baseline
The first step is to get a comprehensive understanding of your current security posture and overall risk profile. It's important to do this to measure and track improvements. This is why you often see before and after photos in the fitness world. You can't protect what you don't know about, so having complete and continuous visibility of all IT assets is paramount. These assets should then be grouped according to their current risk assessment and data privacy requirements. This grouping process should be completed as rapidly as possible given that in today's high velocity cloud-first world, changes are being deployed at a rapid rate.
Step 2 – Create and Implement a Strategic Program
The next step is to outline a strategic program that takes a continuous approach to code and application security testing and embeds those processes into the DevOps CI/CD pipeline. This is often referred to as "shifting left" as, in the past, security testing was an afterthought performed post-deployment. Best security practices are now brought into the software development life cycle (SDLC). Software defects and vulnerabilities are now discovered early on and can be quickly remediated before they are ever delivered to the production environment.
Step 3 – Communicate the Program
In addition to the technology shift, there also needs to be a cultural transformation focused on increasing collaboration and communication between the DevOps and SecOps teams. Culture is best changed by creating clarity and this is done by fostering alignment on the answers to questions such as, "How is success measured?" and "What is the current top priority?". An additional component of this program is to create well-defined service-level agreements (SLAs) that expedite remediation and eliminate conflict and contention between teams. The mantra of "security is everyone's responsibility" really should resonate within the company. It also needs to be properly conveyed that security doesn't need to be draconian – it’s a seamless integration into the entire SDLC.
Step 4 – Execute and Measure
Once the initial communication has been delivered and the cultural transformation is underway, continuous execution of the program along with measurement of the key metrics that matter to the core business is the next step along the path to business resiliency. Going back to the earlier point about fitness and consistency, security resiliency approaches can't be a periodic or "weekend warrior" endeavor. Whatever program you deem appropriate for your business and culture needs to have the trait of 'repeatability'. To use a cliché', I'd say that “continuous and repeatable helps level the playing field''. In the world of cybersecurity, there is no proverbial race to be won, as it's a long-term chess match where you need to be methodical and thoughtful about your next and future moves.
Step 5 – Stay Accountable
As with any successful fitness program, it’s key to stay accountable. One of the best ways to do this is to have a workout “buddy” or someone who you know will motivate you to wake up at 6am when you’d rather be sleeping. In the case of your security posture, this could be a colleague who understands your mission and cares about the organization’s overall success. After clearing one security test, it can be easy to become lazy and complacent, but it’s important to remember that this is a continuous process. Having someone to remind you of this is invaluable. There’s a reason that fitness experts say “It’s a lifestyle.” The best way to yield the results you’re looking for is if security becomes a part of your everyday life.
Step 6 – Go Back To Step 1
Given the ever-evolving and expanding threat landscape, the concept of a baseline becomes increasingly deprecated. This shouldn't be viewed as a negative, but instead looked at as an opportunity. Risk, at its current essence, is an elastic entity, which coincides with the assertion that one's baseline is always evolving and expanding. This is where the continuous measurement (of what matters) in Step #4 comes back into play. Visibility and resiliency are not static states of security, they are elastic and ever-evolving. Going back to cultural transformation, leadership needs to continually measure and communicate the current level of risk and what that means to the core business.
Much like any fitness program, these 6 steps can be modified to meet your current and future security requirements and provide a strategic framework that can be adapted into any business environment. Anything worth doing is worth doing well, so use these fool-proof tools to help your organizations build a proactive and continuous approach to institute and maintain institute proper hygiene measures.
Mike Kail, CTO, Cybric
Image Credit: Wright Studio / Shutterstock