The risk factor is something that us human being don’t tend to understand very well. We perceive risk differently, especially after we have heard or been through a near-fatal incident. We also tend to dismiss the risk because we don’t see a tangible negative impact on it right away. We tend to take cybersecurity incidents with lower security risks for granted.
It’s hard to predict how many times the skipping of basic cybersecurity hygiene can get one organization or a user in trouble, yet they only understand this when there is a security incident that has taken place since they have skipped the basic hygiene.
Risks start to mount when organizations start skipping basic hygiene and by taking shortcuts that are risky when the product is not as widely accepted as others or if their vendors are very young in the market. But as time passes the risk grows and we tend to overlook it until something bad transpires.
Vanquishing the hindrances on the path to better security
Competition is another factor that makes organizations overlook cybersecurity. Software, finds itself being the core of every industry’s competitive advantage with a lot of pressure brewing from the market to release new and software or improved versions at a lower cost. At times, the proper security hygiene, when done right and in the traditional manner, gets in way of agility.
In such a scenario the dilemma for most of the companies is that should they take more risks to move faster? or do they go slow and do the right thing? Unfortunately, human nature is such that most of the time opt to move fast with a risky approach and that leaves them with a ticking time bomb of a cybersecurity incident waiting to happen.
Other Barricades to sensible security decisions
• Engineers having a tough time communicating about problems to the stakeholders while not being well versed with the security understanding and practices.
• At a business level, executives and decision-makers lacking the education and awareness around the topic, most importantly around the foundations of software security.
• Security teams being perceived as the only ones responsible for the security of the organization.
What can CISO do to ameliorate things?
Quality security should be everybody’s job and not just the QA/security team who should be held responsible for it. One of the most important goals for a CISO should be improving the security culture in the organization by means of awareness, educating, consulting, promoting and providing the process to tools.
Educating about cybersecurity does not mean training the workforce for security testing and coding skills. However, educating the staff on how security affects the bigger business, how it can reduce revenue if not done right, and how all of this can affect them is critical.
CISO should be proactive and not wait for a disaster to happen. The absolute worst time to fix security issues is when an audit fails. Its easier to enforce policies to protect data than to deal with the after-effects of a security incident, hence the CISO should invest in proactive measures.
Being proactive is a double-edged sword and so a CISO should ensure they don’t go overboard with it. Enforcing extreme policies without regard to the value of the asset being protected or the impact on productivity and usability often results in people bypassing the policies, which turns out to be way harmful.
Preparing for the road ahead
The technology and compliance landscapes are only going to get more demanding and complex with time. When it comes to the introduction of new technologies and the need for employees to put it to good use we advise organizations not to put the focus on specific skill sets rather go for functional understanding in individuals. When you have the right people on board aided by a culture that helps them to take the right initiatives they will bring the latest technology into the organization and will have the ability to adapt to it and deal with new problems.
The CISO should be pragmatic and should focus on making the organization secure than being fast and taking shortcuts. If the CISO knows how their decisions would affect the larger business then they will have an easier time getting the buy-in from the organization while knowing how to present future investment proposals. They should educate executives on how cybersecurity and risk management affects the business and on the importance of finding balance.
Prioritize investment and invest in automating the balanced approach to development. Roll out automation when asking developers to cooperate with you and start by explaining why it’s being done and it will be met with less resistance.
To read more, please check eScan Blog
