While it’s necessary to comprehend the key security priorities for organizations year over year, what I find even more interesting to examine is where security feels they are falling down. What are those areas in which they give themselves a poor grade, regardless of the reason? These topics are, in some ways, even more important to understand. This blog, the second in our multi-part security priorities series, outlines where organizations are lacking in their security strategy.
#1 – Inconsistent security involvement during application development
Not too surprising, at least to many people I speak with, is that security is not always addressed during application development. Security teams have always struggled to exercise some level of influence over the parts of the business that they do not control, but which can present serious security concerns. AppDev is the poster child for this. Particularly as businesses have moved to adopt DevOps, security has been sacrificed on the alter of code & deploy, code & deploy. Far too often, AppDev’s failure to take security into account has resulted in unvetted, unsecure code being pushed into a production environment while it’s still full of vulnerabilities. Because DevOps is a dynamic process, it’s difficult to keep a handle on these risks without a wholesale buy-in from senior leadership demanding that security be baked into the DevOps process. Hence the advent of DevSecOps. But for most enterprises, the reality of always-on secure code deployments is well down the road.
#2 – Not enough invested in employee training & awareness
This is where most organizations can see a huge bang for their buck is in addressing the most common point of failure – people. But inadequate employee training & awareness continues to be a struggle. Teaching a user how to distinguish a phishing email from a legitimate one, or that they shouldn’t leave their laptops unattended where they might be stolen, and that they should avoid connecting to public WiFi access points can help businesses avoid many common security mistakes that can lead to breaches. But even those businesses who diligently train and test their users see those same users falling for sophisticated phishing attacks or making seemingly simple mistakes that result in dire consequences.
User training and awareness is a theme that permeates the study this year, from being the #2 priority, to the #2 security failure, and as we’ll review in the third blog of the series, a major distraction that pulls the security team away from strategic initiatives. It’s a challenge that just doesn’t go away, but one that also speaks to the importance of having a good security technology environment to pick-up the slack when people fail.
#3 – Security isn’t always involved prior to adopting new technologies
One of the things that we can always count on a business to do is attempt to leverage new technologies to introduce efficiency, knowledge and speed into the business process. To do so, organizations are constantly innovating with the solutions they have in place, while also leveraging new technologies as they become available. But the lack of the security organization’s involvement prior to implementing new technologies can, in the best case, lead to operational inefficiencies, slower deployments and higher costs. In the worst case it can lead to the introduction of significant vulnerabilities into production environments.
The importance of having the security organization plugged-into all technology, and frankly, all operational initiatives of the business cannot be overstated. The lack of visibility inevitably leads to silos, which, in turn, leads to lapses in security. It speaks to why it is critical that senior management be focused on creating a culture of security in their organization so that everyone, from the top ranks to the bottom, understand the importance of security in preserving the operational resiliency of the organization.
There were a number of other failures cited in this year’s study: insufficient communication with the lines of business, failure to be proactive with the organization’s security strategy, and poor visibility into the IT environment. But, of most concern to me – a lack of security during the due diligence phase of M&A. This is an area that was overlooked for many years, but security teams increasingly play a critical role in the due diligence process. I have been hearing, however, that in some competitive acquisition and investment deals, some private equity firms are foregoing anything but cursory due diligence for fear that any discovered security gaps could affect their ability to close the deal, opening it up for their competitors to step in. This is a short-sighted approach, to say the least, and I would hope that investors take note of this and voice their concerns. It’s always better to have clear visibility of risks heading into a deal, rather than to discover those risks after the fact. Just ask Verizon (based on their acquisition of Yahoo), or Marriott (based on their acquisition of Starwood).
Continue reading our Security Priorities Blog Series or catch up on one’s you may have missed:
Part One: Top Priorities for the Next 12 Months
Listen to the 2019 Security Priorities Webcast to gain even deeper insights.