In today’s connected business climate every organization will find themselves leaving a “cyber” footprint. This might mean a full-featured eCommerce presence or it may be as simple as using email to communicate with partners. If even one aspect of your business is conducted online, you share one major concern with the biggest companies in the world—cyber security.
Cybercrime is the fastest-growing segment of the criminal underworld and is projected to cost the global business world upwards of 6 trillion dollars by 2021. Figures like this tend to take up people’s attention, but they can also lead to misunderstandings about the larger role that effective cyber security can play throughout the software development lifecycle. If you’re just focused on preventing crime, you miss out on all of the ways that security can contribute to larger corporate strategies.
But you shouldn’t just take our word for it. Instead, you should check out a few key statistics that we’ve compiled about the current state of cyber security—statistics that suggest a growing disconnect between security operations and the development lifecycle.
Cyber Security: A Working Definition
Before digging in, let’s cover some basics of cyber security. Broadly speaking, cyber security is the protection of computer systems and networks from intrusion, theft, or damage. This covers everything from the physical hardware that hosts your data, the network infrastructure that transports it, the software that interprets it, and of course, the data itself.
For our purposes today, we also mean cyber security as a separate and often siloized function from DevOps or other strategically-positioned workflows. This might look like a separate SecOps team that comes in towards the end of a development lifecycle to run penetration tests and request security fixes from the development leads, or it might be something better integrated that facilitates treating security fixes as a quality control issue. While the goal of fending off cyber attacks is always critical, that process doesn’t exist in a vacuum—and, indeed, it’s the process more than the results that we’re interested in today.
Ultimately, we hope that cyber security can become so thoroughly integrated into the holistics software development lifecycle that it no longer makes sense to discuss it in these terms. This would potentially put businesses in a position to improve both quality and data protection by way of complementary techniques and strategies. Based on the statistics we’re going to share, however, it’s fairly obvious that that day is a long ways off.
89% of CEOs Treat Cyber Security as an IT Function.
This number is a sharp contrast to how most CEOs claim to think about security. Indeed, despite the fact that most corporate higher-ups believe that cyber security matters should start with the C-suite, the vast majority of businesses let the responsibility in this department—including budget decisions—devolve to the IT team. Of course, IT professionals often have multiple layers of management between themselves and the CEO, and documentation on solutions and best practices already implemented tends to be sparse. The result of this disconnect is that the left hand doesn’t know what the right is doing: if an executive wanted to create better alignment between DevOps and SecOps, say, they wouldn’t know where to start; while a player on the IT team hoping to gain buy-in for larger initiatives might face indifference or outright resistance from those who haven’t historically been in the loop.
87% Say They Need a Better Way to Measure Cyber Security Effectiveness
This stat comes from the same survey cited above, and it points us towards a similar inference: the most pressing challenge right now isn’t producing security compliance by brute force—rather, it’s getting the entire organization on the same page and giving different teams the tools to collaborate across touchpoints. The same survey also showed that nearly three-quarters of respondents faced major challenges due to a lack of meaningful metrics. Our suggestion would be to get the focus away from things like intrusion alerts and number of software updates, and instead establish KPIs that align security with core business goals. This can be as simple as tracking the overall change in time-to-market as you introduce new technologies and best practices, or tracking overall operational efficiency (OEE) in the SDLC stages that security touches.
3.5 Million Cyber Security Jobs Will Be Left Unfilled by 2021
This is according to the ”The SANS Institute 2015 State of Application Security Report,” which suggests that most developers right now don’t understand security, opting to leave most testing to siloized security teams. The result is that there’s a serious skills gap when it comes to finding people who can actually give security the attention it deserves throughout the SDLC. While developers tend to keep their focus on getting new releases out as quickly as possible, it’s getting harder and harder for businesses to find personnel who can help them to do so in a secure way. This is why something like application shielding can be such a valuable solution when it comes to integrating cyber security tactics into development projects. For better or worse, adding more security staff simply isn’t an easy option for most companies, which means that things like managed services and applications designed to give devs leeway on remediation are likely to become increasingly attractive options going forward. Like we said at the outset of this eBook, the best way to frame cyber security questions is around increasing time and flexibility, something that can often be best accomplished through external partnerships.
72% of CISOs Worry About Alert Fatigue
In other words, developers are getting bombarded with security alerts that they don’t necessarily have the time or know-how to deal with. This stat really drives home the idea that we introduced above: that many organizations don’t have the resources to deal with security monitoring and incident response in-house, and that a big piece of the Infosec puzzle going forward is going to be figuring out how to deal with this gap. Again, the developers with alert fatigue are often the same folks who take security seriously and want to give it the attention it deserves—but they simply don’t have time. Long story short, you need to find a way to give them control over their time and resource expenditures and ultimately put them in a position to deploy security best practices in a holistic, strategically-minded way, rather than scrambling to close bugs and fix business logic flaws.
1 in 4 companies say that delivering “security” is synonymous with delivering “quality”
Simply put, of all the statistics listed on this page, this is the one we’re most eager to change.
It’s easy to see from the other data reported above why most organizations would see security and quality as being orthogonal at best and opposed at worst. By changing the way we think about, deploy, and manage cyber security, it’s possible to create more alignment with “quality” and create new opportunities to leverage security into a source of added value, in addition to risk management. How do you make that happen? You start by selecting the right cyber security solution.
Moving from Dedicated Appliances to Cloud-Based WAAP
Of course, it’s not like you can simply wake up one morning and decide that you're going to rethink your security operations without a plan for actually maintaining and improving the security of your application. Luckily, application shielding technology has made it possible to actually cover your known vulnerabilities while you’re remediating them. Not only does this dael with alert fatigue and the skills gap, it also gives you the freedom with your time and resources necessary to create the kind of alignment between security and other concerns that’s so often lacking.
Taking advantage of this technology means that it’s time to put the days of dedicated network appliances like WAFs (web application firewalls) behind us. To truly lock down your web apps and APIs, keeping your organization’s data safe, you need to be using a cloud-based WAAP solution. Why?
- The ever-shortening SDLC (software development life cycle) means the time lag while a WAF is reconfigured to keep up is no longer tolerable. In that lag, any number of holes, backdoors, and exploits can be discovered and taken advantage of.
- Runtime protection has become crucial. Business logic flaws leave your data wide open to attack, and full code remediation can take weeks if not months. WAAP provides the security you need while you fix the bug right the first time, rather than releasing a band-aid patch that needs further work down the road.
- Scalability is key. With the ability to use a pay-as-you-go model, cloud-based solutions are eminently scalable. This model also brings a quicker deployment timetable, often a matter of days.
Again, with this kind of technology in place, you can begin to take a more strategic view of cyber security. You can ask yourself what the best organizational structure is for your security and development teams from a strategic perspective, and then actually implement that structure. Likewise, you can ask yourself how to better align security and quality—and then go out and make it happen.
Learn More About Intertec’s Managed Cyber Security Services
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!