Throughout 2021, global news seemed to ricochet between the rapid spread of new iterations of COVID-19 and cyber criminality — both becoming increasingly creative and disruptive as they mutate in a battle for survival; both interlinked as cybercriminals profit from rapid digitalization forced by COVID-19 lockdowns. In a recent interview, a prominent cybersecurity executive pointed out that alongside birth, death and taxes, the only other guarantee in our current lives is the exponential growth of digital threats.
Because security is not built into new technology from the ground up, cyber criminals quickly get a foothold and cause untold damage before we can catch up.
Much has been said about the cybersecurity skills shortage. Millions of cybersecurity positions are unfilled, and this is causing serious problems at many organizations. But the magnitude of the skills shortage is based on a specific model of doing security. This model is reactive rather than proactive and takes a labor-intensive, “brute force” approach to threat response. We need more bodies in cybersecurity because our methodology is to “throw more bodies at the problem.”
For example, rather than doing threat modeling and building strong, proactive controls as they develop an application, organizations scan for vulnerabilities, manually analyze the scans and manually remediate the problems — or else let the vulnerabilities accumulate. This consumes a lot of resources and ultimately does not leave an organization significantly safer than if it had done nothing.
Moving Beyond Brute Force
While most people may see the logic in moving beyond this scattershot approach, it has an incredibly strong gravitational pull. IT governance policies at many organizations require the use of antiquated security technology and processes when other approaches would provide better protection using fewer resources. At the same time, the rapidly evolving marketplace means that development teams face continual pressure to crank out applications even faster than they do today. This makes it easy to rush into development rather than taking the time to architect an application to be secure before coding even begins.
But what if we were to break from the gravitational pull of reactive security and refocus on what really matters? We could build security into new technologies as they are developed, rather than adding it as an afterthought. We could become consistent, prioritized, focused, structured and strategic in the use of people, processes and tools. We could help developers learn to write safer code by providing real-time feedback.
At the same time, we need to be making security more visible. If users had an idea which software was safer and which was less safe, they would choose accordingly. The White House issued an executive order in May that can potentially move us in this direction. For example, it requires software vendors to provide a “Software Bill of Materials,” something of an “ingredients list” for an application. We need dramatically more information about why we should believe something is secure before we trust it with important things — like elections, finances and healthcare, for example.
Proactive cybersecurity strategies aggregate a multitude of perspectives, which brings the benefit of innovation, problem-solving and consensus-building.
From the growing adoption of distributed cloud to the proven benefits of remote mobile workforces, the attack surface for bad actors is ever-widening. This means the requirements for network security have also evolved with the growing threats of increasingly distributed systems.
Security should not take a backseat to innovation in digital businesses. Of course, innovation and speed will require businesses to build secure systems, which means we can no longer afford to implement security only at the service level. We need to apply adaptable solutions from the architecture level that will change with digital business requirements.
See how Soffid can help you stay ahead of the curve in a rapidly evolving digital world. Let us know how we can help you
(2) Information Week