Cyberattacks are becoming more sophisticated and frequent, and cybersecurity leaders are feeling the strain as they protect swaths of critical and sensitive data.
But the security industry is stuck.
Far too many companies struggle with how to protect their most valuable assets, and developers and security teams alike are stretched thin. The widening gap, estimated at 3.5M roles, for cybersecurity talent creates tension among those teams, and some developers feel they are forced to sacrifice security for productivity.
Here are four critical areas every chief information security officer (CISO) should invest in now to help set their team up for success.
1. Security Staff Training
Training staff is fundamental to understanding what tools are in place and how the company can maintain proper software security. With companies of all sizes vying for cybersecurity talent, leaders are currently looking to fill the gap with upskilling and training to maximize the impact of their existing developer and security teams.
While security training should cover all employees at a company on a basic level — such as training on phishing attacks, multifactor authentication, and strong passwords — cybersecurity leaders tend to focus on the development function within their organization. Best practices from The Open Web Application Security Project (OWASP) offer a good starting point for training developer teams and can be facilitated by team leads. Working with the team leaders of development teams often generates the best return on the investment, but I believe that leaders should aim to work with all of their developers in some capacity.
A recent report from McKinsey focused on reducing cyber risk with cybersecurity talent stresses the importance of understanding what to prioritize in terms of security and the ability of a team to adapt to new threats. Leaders must ensure they have the right people with the right knowledge and advocate for the proper tools and educational resources they need to make an impact.
2. Providing Visibility
With today’s applications composed of many moving parts — proprietary code, open-source code, and code from vendors and integrations — vulnerabilities can fall through the cracks. For leaders to adequately respond to new threats and vulnerabilities, and steer the company away from falling victim to future attacks, a bird’s eye view of all code is critical, whether in the form of a software bill of materials through a vendor or with a proprietary system. The goal should be to zoom out as much as possible to get a macro view of the company’s code and potential cybersecurity needs.
Just like any function leader needs an understanding of their organization’s general KPIs, security leaders need the full picture of their code and infrastructure. Without seeing the full picture, leaders risk spinning their wheels and wasting investment by not making enough strides toward securing their organization.
For example, you can spend developer hours manually checking all of your company’s code for vulnerabilities and deem it clear and risk-free. But if you neglect to review that code for supply chain security issues, you can potentially pull a malicious package directly into your code.
That macro lens helps companies quickly and efficiently address issues: think about how omnipresent the risks of Log4j are, found in everything from games to enterprise software. With requirements to act swiftly, only those with a real understanding of where there could be a potential risk or indirect dependency are aptly prepared.
3. Keeping up-to-Date With Security Technology
Your organization’s product keeps evolving, and you’re continuing to put investment behind security practices — but the same is true for cybercriminals. Cybersecurity leaders should stay abreast of new trends and next-gen technologies that cybercriminals may employ and explore how they can invest in these technologies internally to thwart those advancements.
For example, artificial intelligence (AI) is a promising technology for this use case. Security companies have already completed the legwork of refining and tuning AI tools to minimize false positives and smooth the integration with other security technology.
As a result, implementing and benefiting from AI tools is worthwhile, especially for leaders looking to expand their tech stack.
What is most important is remaining on top of the latest emerging cybersecurity technologies (such as behavior analytics, blockchain, and deep learning) that can be used internally as well as by sophisticated malicious actors. For example, both attackers and organizations may use behavior analytics to detect and track one another’s work.
4. Prioritizing Remediation Effectively
The sheer volume of potential security vulnerabilities makes it impossible for development teams to catch up while maintaining and building on the existing product. Cybersecurity leaders should prioritize remediation efforts strategically and pursue the vulnerabilities most likely to impact the business — not all vulnerabilities warrant a fire drill.
Many security solutions only detect vulnerabilities in code without providing context on how to solve them. For this reason, leaders should invest in deepening and developing their risk and remediation strategy framework to optimize for solving future problems. Awareness of a vulnerability or potential threat is the first step. Still, effective remediation of security vulnerabilities in a prioritized fashion — and using team resources to resolve the correct issues — is what secures an organization. The end goal is to have secure, fixed code, and a focus on detection leads to a false sense of security.
This remediation-first approach could include verifying that any new code addition or library is well maintained and taking it further by creating a process that pulls future fixes into your code.
While some of these areas may require reprioritization of time and resources, security is of utmost importance for businesses across industries today, making changes to safeguard against potentially catastrophic cyberattacks.
By empowering employees to uplevel their security practices, ensuring technical visibility, continuing to explore new technologies, and prioritizing remediation strategically, leaders can improve security for their organizations.