Losses due to cyber security lapses have been in the hundreds of millions of dollars every year since at least 2014—but in that time, how much positive value has strong cyber security produced for global enterprises? It might seem like an odd question, given that we usually frame things like penetration tests and WAFs (web application firewalls) in terms of risk and loss mitigation, but isn’t it possible that a secure, protected web presence built on real InfoSec best practices can do more than just prevent hacks and data breaches?
In point of fact, it can. While it’s difficult to provide a quantitative measurement in this department, the benefits of the right cyber security solution, service, or framework can extend well beyond the prevention of costly and expensive breaches. It can be a driver of improved coordination between DevOps and SecOps, it can prevent slowdowns in time-to-market, and it can ultimately reduce internal disruptions in support of larger strategic initiatives. The only question is: what is the “right” way to approach cyber security to reap these rewards?
Does Cyber Security Have to Be a Stumbling Block?
A few years ago, almost half of business leaders polled said that they hadn’t invested in cyber security in the last year. Given the obvious importance of staving off data breaches, phishing scams, business email compromise, and the like, this gap is a little bit shocking. And yet, even today more than half of businesses say that they don’t have the resources or the knowledge to develop a robust cyber security strategy. As such, the specter of InfoSec looms above businesses that don’t necessarily have a handle on what it means—they think of it as an onerous requirement to be put off and procrastinated on, rather a source of strategic value and a useful planning tool.
This thinking is understandable, but it also creates an environment in which security is thought of as being at odds with agility, responsiveness, and growth. From the outside, these precautions appear to slow down operations and ultimately act as a stumbling block to operations. And, to be sure, there’s an element of that present in some of the solutions currently on the market. Web application firewalls, for instance, can be useful for filtering out malicious HTTP traffic, but they have a tendency to slow your website down, which can be detrimental to traffic and conversions. But not everything falls into this category—in fact, if you know where to look it’s possible to find solutions that will actually improve webpage performance via compression, bringing both security and the potential for increased conversions.
The Power of Application Shielding for Protecting Your Endpoints
We don’t want to leave you in suspense, so we’ll say upfront that AI-powered application shielding is one of the technologies we alluded to above with the power to improve website performance. This kind of technology takes the basic premise of a WAF (setting rules about web traffic in order to cover known vulnerabilities and weaknesses in your app) and improves upon it. How?
- Because shielding solutions of this kind can maintain an application state, they’re able to protect against a much wider array of known attacks than WAFs can.
- Not only that, but they can do so without creating a glut of false-positives (or false negatives, for that matter). Since these false-positives are among the reasons that WAFs can slow your system down, the increased accuracy with which the system creates rules for HTTP traffic can be a huge boon.
- Thus, for all of your known vulnerabilities, you could rely on the shielding technology to protect your systems at the relevant endpoints—without you or the shielding system having to touch a single line of code on your own servers.
This last facet of the shielding technology under discussion is particularly critical. Since the protections it offers effectively alleviates the pressure to remediate code (for legacy code that can’t be remediated, it even removes the pressure to modernize existing codebases), you’re able to keep your systems protected during what can often be drawn-out, months-long bug fixes. This isn’t just a matter of reduced time pressure—rather, it puts businesses in a position to take a more holistic, strategic view of their application’s codebase, and address different flaws or bugs in the way that makes the most business sense.
As you can imagine, having the freedom to do so can provide a number of real strategic advantages.
Strategic Advantages of Cyber Security
Okay, let’s say you’ve got a new product release scheduled for the middle of next month. You’ve aligned your offering with new and emerging market data—you’re as confident as can be that your new rollout will speak to your existing users, and it may even help you gain some new ones. Your developers have been hard at work, and as the release date approaches everyone’s feeling at least a little stress. From a strategic perspective, which position would you rather be in?
- In one scenario, you have very little formal cyber security infrastructure in place outside of your SecOps team. Once your DevOps has gotten their end of the new offering up and running, they hand it over to SecOps, who hopefully doesn’t find anything glaringly wrong. If they do find something, you run the very real risk that you’ll have to delay your release while you remediate, or ship a product that isn’t secure—basically a no-win situation.
- On the other hand, if cyber security is integrated into your infrastructure and your planning process, your DevOps teams can work with the confidence that any potential software issue can be shielded upon release and then remediated later. Here, instead of slowing down release schedules and putting up barriers, SecOps can take a strategic approach to code remediation and other security matters. They can even work hand in hand with DevOps throughout the development process to optimize your app from an InfoSec perspective.
In all likelihood, given the choice between the two options above, you’d say that the second one puts your business in the best strategic position. Not only are any potential vulnerabilities being covered by the shielding technology, but you’re in charge of your own release schedule—meaning that you can speed up time-to-market and decrease the potential for disruptions.
DevOps vs SecOps
Once you’re able to generate strategic plans with the knowledge that security lapses aren’t going to throw everything out of whack at the last second, you can obviously improve on any number of KPIs related to speed-to-market and OOE (overall operational efficiency). But that’s not all. You can leverage these tactical advantages into more cohesive and value additive processes overall. While the scenario we sketched out above where cyber security precautions were restricted and siloized essentially pitted SecOps and DevOps against one another, the alternate path gives you the power to integrate those processes. The result is that your development processes can become more security-conscious overall, and your security engineers can become a bigger part of the design and implementation process (since they’re no longer relegated to scrambling to find security flaws and prevent problematic releases).
In this way, you can begin to break down silos and build out processes that let your people do what they do best—for development teams, this means responding to customer problems and strategic initiatives in a flexible, responsive way; for security experts, this means offering guidance throughout the entire development process, in order to continually improve app performance. Crucially, these resources are now freed up to be used in whatever way best fits the current objectives. Rather than being beholden to long and complex remediation processes and hair-on-fire release schedules, you can take a long view that incorporates changing conditions and capacity needs. The best part is that all the while you’re covered when it comes to any and all known vulnerabilities.
How to Implement the Right Cyber Security Framework
Okay, we’ve seen the way that cyber security—far from being a drain on company resources or an unfortunate fact of life—can actually add value from a strategic planning perspective. It accomplishes this by offering you a modicum of planning certainty—there’s no reason to push back a release because of security concerns if you have a security solution that can cover those issues until there’s time to remediate—which you can then leverage into improved coordination across functions. The question is: how do you implement the right cyber security framework to make this a reality?
Like we alluded to above, automation is your friend here. AI-powered application shielding technology that can truly cover your endpoints and prevent known attacks is a good place to start. Because the goal here is to speed up operations, rather than letting things get bogged down, you’ll also want something that’s as close as possible to a turnkey installation. While most WAFs and other similar solutions require extensive and complex installation and maintenance (which can put you right back where you started), it is possible to find solutions for which that’s not the case. Often, those will involve some element of management on the part of a vendor. With that management in place, you can skip any sort of laborious installation and maintenance workflows and spend your time and resources on more value-additive tasks.
By combining endpoint protection with managed cyber security services in this way, you can completely rethink the role that security plays in your project management and product development processes. Over time, the impact of this added flexibility can multiply, putting you in a position to execute your strategic initiatives more effectively than ever before.
Learn More About Intertec’s Managed Cyber Security Services
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!