[BreachExchange] The Most Pressing Concerns Facing CISOs Today

[Destry Winant]

https://www.darkreading.com/risk/the-most-pressing-concerns-facing-cisos-today/a/d-id/1339858?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Building security into the software development life cycle creates
more visibility, but CISOs still need stay on top of any serious
threats on the horizon, even if they are largely unknown.

With software being one of the most valuable assets in business today
and DevOps in the driver's seat for software pipelines, CISOs are
facing an array of challenges regarding their organizational security
and integrity. The role and overall visibility of CISOs have continued
to evolve because corporate security isn't just nice to have anymore —
it's an integral part of the business, an imperative. This reality now
puts CISOs in the unenviable position of quickly understanding and
communicating how much risk their business is willing to accept, and
getting teams to act accordingly.

Cultural Divisions = More Risk
As the appetite for software accelerates, and the sophistication of
application security advances, everyone inside a company needs to be
on the same page about their risk posture and how it affects ongoing
security efforts. We already know this isn't happening. While DevOps
has revolutionized software development in terms of speed, capability,
and agility, developers and security teams simply don't share a common
vision or unified goal on how to get software to market quickly and
securely. Recent Ponemon research found developers see security as a
bottleneck to innovation and speed, while security practitioners
believe developers continue to prioritize delivery times over quality.

The technology is there, but cultural (and human) problems are slowing
down the process. CISOs are challenged with figuring out a way to
tailor security programs to customer needs and business goals by
aligning business and security strategies. We already know that
integrating security testing earlier in the software development life
cycle (SDLC) can help mitigate risk, and it also makes developers much
more productive. CISOs can help bridge the cultural divide by
accomplishing their risk management objectives while simultaneously
helping their development partners be more successful.

Digital Transformation Needs Scalability and Continuity
With digital transformation accelerating development cycles, security
can't be considered a barrier to speed. Remember, cars have brakes so
they can go fast! We need to ensure software can develop quickly too,
protected by application security and not hindered by it.
Unfortunately, a lot of security processes continue to be manual
today. Testing tools deliver enormous data, all of which needs to be
correlated and prioritized. These tasks take time, and CISOs are often
dealing with more data than they have people to analyze it. To ensure
their existing security governance frameworks, including tools,
processes, and policies, can keep up, CISOs will need to continue
building the bridge across the divide by empowering their development
teams with the right resources and support.

To properly scale security, organizations need to decrease manual
processes by embracing SDLC automation and continuous scanning. This
results in faster remediation and better overall application security.
Orchestration is important too. With proper orchestration,
vulnerabilities are prioritized and refined for remediation. CISOs are
key in creating this component of the "bridge" because processes like
automation and orchestration can save developers time by consolidating
units of work and converting findings into a language they understand.

The Present and Beyond
Building security into the SDLC helps create more visibility, but
CISOs still need to stay on top of any serious threats on the horizon,
even if they are largely unknown. The fallout from the pandemic
remains to be seen, but it has already had a major impact on both
security and development. The move to telework and use of even more
cloud-based applications has significantly diminished the security of
software applications. According to the same Ponemon research noted
earlier, both security practitioners and developers lack confidence
that teleworkers are complying with security and privacy requirements.
In fact, only a third of both groups believe their organizations are
effectively stopping or curtailing security compromises or exploits in
software applications.

As the future continues to roll out unexpected turns, CISOs must
maintain a close working relationship with the DevOps team and
continue to seamlessly integrate security into the SDLC. Security
becomes an afterthought or a periodic manual, nonrepeatable process if
there isn't a collaborative relationship between teams.

This won't happen overnight, as it requires a significant cultural
shift. Developers must buy into the notion that quality software
hinges on built-in security at every phase of development, and see
security as a necessity. When this happens, CISOs can feel more
confident in answering the questions "am I secure?" and "is this
application that I've brought to market secure?" because everyone has
the same goals, is on the same page, and can quickly adapt to threats
not yet known.