[BreachExchange] How CISOs must be wary of the new wave
Destry Winant
destry at riskbasedsecurity.com
Tue May 28 10:06:21 EDT 2019
https://cio.economictimes.indiatimes.com/news/strategy-and-management/how-cisos-must-be-wary-of-the-new-wave/69523636
CISOs need to carefully evaluate the upcoming trade-off between
innovation and security and apply this judiciously to their respective
organizations; inculcating a security mindset in the process.
In the wake of the recent Baltimore crisis, CISOs constantly find
themselves under growing pressure to deal with a constant barrage of
new cyber threats. This pressure is derived primarily from continuous
innovation in the tech sector and may directly be linked to IoT.
Government policies such as open banking, along with customer
expectations that every critical service should be right at their
fingertips, are giving rise to an upswing in application development
by enterprises.
It is the management of this DevOps community that CISOs today find so
challenging. While this limitless innovation is constantly pushing the
limits of everything that we thought was possible, the same community
also tends to take security controls lightly, as they believe it
restricts their ability to innovate.
Without securing the development pipeline, risks will continue to be
extremely high. One developer’s error could lead to a leak of massive
proportions. An example of this was the Uber hack that stole the
credentials of almost 50,000 Uber drivers. To combat this challenge,
CISOs need to start working on a rigorous process to institute
practices that restrict access to privileged credentials. Also, there
must be a rigorous review process of each software instituted to
ensure there are no acute vulnerabilities.
One way to do this is through the development of security components
that are easy to adopt. It is not fair or pragmatic for a CISO to pose
one sided restriction on DevOps teams. There must also be an
evaluation of security policies, standards and frameworks along with
an optimization of the same to make the task of development manageable
at the same time.
In the past, CISOs have traditionally adopted a reactive mentality
towards security and crisis.
However, a more proactive approach is now being encouraged, wherein
CISOs might encourage continuous collaboration between DevOps and
security, and adopting security by design, not by tradition. Centres
for collaboration along with advisory council must be implemented to
share knowledge, enhance the developer experience and promote good
security practices.
In the end the biggest challenge for a CISO will be to foster this
collaborative mindset. For this, he or she must create an environment
where interaction between the two divisions is encouraged. Especially
in this era, with new IT markets such as IoT emerging, it is becoming
evident that CISOs need to upgrade their security methods and
protocols. They should never be complacent as the increased
vulnerability is becoming more evident than ever. Vigilance and
continuous awareness are encouraged and will be invaluable in the
coming years.
More information about the BreachExchange
mailing list