Big breaches make data part of the security ‘house’
We probably don’t want to admit that we remember when the adage of people, process and technology was coined the Golden Triangle, but with cyberincidents at an all-time high, it makes sense to expand the triangle to include data.
In speaking with CIOs and CISOs about the most recent breach with Marriott, compromising more than 500 million guests’ data or of course Equifax in 2017 compromising 143 million consumers, the conversation quickly shifts to, “Does a company really have a good handle on its security posture?” They don’t know what they don’t know.
Cybersecurity is about protecting the house, the corporation — the people, process, technology and the data. It is providing trust and protecting the organization’s assets and providing resilience for the people and the environment using those assets. The process is the enabler to ensure that routine vulnerability scans and patches, for example, are completed in a timely manner, and moreover is integral to developing the corporation’s cyberdefense strategy.
Sounds basic, but breakdowns in the process of applying patches consistently and timely have contributed to approximately 70 percent of successful cyberattacks which are exploiting known vulnerabilities in systems where readily available patches have not been applied.
Cyber threats are becoming more advanced and sophisticated with tactics that were once privy to nation states now prevalent and mainstream with hacker groups and cyber criminals. Rapid changes in technology, such as is occurring with cloud services or internet of things (IoT), increase risks if the process has not evolved for defining cybersecurity requirements, protocols and governance.
Companies should be placing importance on training their employees to heighten their awareness on cybersecurity manipulation tactics as part of a holistic cybersecurity defense strategy.
In addition to improving training, the development and delivery mindset of the organization has to change to think about code security review iteratively versus at the end of the software development life cycle right before production. Discovering a vulnerability right before production release is really late in the game.
What often happens is the team is at a crossroads: Delay the release or release the code which has a known vulnerability. Integrating security reviews early and often allows the team to identify security issues further upstream in the design and development process. Organizations should consider evolving the governance and gate review process to include security.
Expanding the cybersecurity discussion to include people and process will serve the organization well and remember: Protect the house — the people, process, technology and data. These are after all the most valuable assets that we need to defend against cyberincidents, while imparting trust and resilience to the organization.