The new year is upon us, and as such, it is a time to reflect on what worked over the past 12 months, and more importantly, what didn’t work. Organizations all over the world are utilizing applications, operating systems, and IoT devices while their data, and their customer’s data, increasingly lives in the cloud. Organizations should take the beginning of the year as a housekeeping opportunity to assess their systems to set themselves up for success in the new year.
Organizations will be wise to conduct security assessments that go beyond identifying security defects. Instead, teams should find and fix vulnerabilities as soon as they are discovered during testing. In today’s IT landscape, developers often rely on automation, which saves time and manpower. Security leaders should be cautious when it comes to declarative applications and infrastructure as they require organizations to re-focus on high confidence checks, optimized for speed and not necessarily for coverage.
We are also seeing an increasing number of issues at the point of manual integration in security testing due to the complexity of micro-services and distributed applications. As teams evolve their technology stacks, they should continuously evaluate their tooling and investments to determine if they still get the coverage they need across their portfolios.
Training increasingly requires remote and self-paced delivery components with realistic storybooks to relate to engineering. As time goes on and workforces evolve, especially in the age of COVID-19, it will become more and more logistically infeasible to get these engineers together. A balance of self-paced and expert-led education is important to keep the workforce engaged and growing their skills.
Leadership teams should start strategizing and prioritizing virtual training within their organizations, particularly on secure remote access to enterprise systems and applications. Setting up job-specific training is a great place to start, providing each employee with training specific to their role to minimize work downtime while maximizing training effectiveness.
Remediation of software and application vulnerabilities requires a developer to understand security at a framework and language level. Many teams struggle to get the dedicated cycles for security fixes rather than working on their feature back logs. As we continue to build increasingly distributed and decoupled software systems, investing in asset inventory and automated remediation capabilities are important. Speeding up remediation of vulnerabilities requires workflow automation and well-defined processes to minimize the noise and address actionable issues.
According to a study by Ponemon Institute, 74% of respondents believe that the increased adoption of security automation frees the IT staff to focus on overall network security and the most serious vulnerabilities. Automated remediation, through infrastructure-as-code and governance-as-code, can reduce the amount of cycles your team spends on removing pesky issues from being continuously reintroduced into your environment.
By taking note of where your data lives, where your assets are and who has access to them, and the security of the applications and systems that your company is running on, organizations will be better prepared for what’s to come in the world of cybersecurity in 2021.