Effective Data Security Is A Team Effort

Effective data security is a fundamental requirement for every business today. In the past, the responsibility for achieving it was often laid firmly at the door of the IT team, but today, data security requires close communication between many different internal teams.

The central tenet of any effective security program is the ability to communicate up and down the command chain quickly and effectively, but this isn’t always easy to achieve. 

With more and more business taking place online, vulnerabilities in web applications are becoming increasingly problematic. The ability to identify and resolve issues fast can make the difference between keeping attackers out and potentially suffering significant data loss. Yet all too often, it is issues between parties within the command chain that slows down response times and prevents efficient security practices.

According to recent research, the average time it takes for critical website vulnerabilities to be found and remediated is 300 days, meaning the window for exploitation is significant. 

Closing these windows as fast as possible should be a top priority for every business, so how can the three key parties within the app security command chain (security professionals, senior leadership and DevOps) work together to speed up the security process and protect the organisation more effectively?

Security Professionals
The benefits of any application security program being fully realised without the direct involvement of the application development team is extremely low.  Security professionals have the unique opportunity to evolve the application security program by balancing risk, organisational maturity and business goals. 

Security data and analytics should be a security professional's best tools to drive and eventually evidence overall improvement in an organisations application security posture.
Using industry remediation rates as a baseline for improvement is a good way to enhance an organisation’s security posture, but it can be easier said than done. Few security professionals have the authority or power to directly influence the security of web applications under development in the DevOps team. 

As such, they need to skillfully position themselves as key development partners, using their knowledge of security analytics to add value to the process. Effectively doing so will allow them to ‘influence without authority.’

At the other end of the chain, it’s critical for security professionals to also keep the senior leadership team abreast of key events and developments taking place. Doing so will help to minimise any pressure from executives that feel out of the loop, while ensuring any pre-agreed timetables are met.

Senior leadership
Senior leadership teams across all industries must accept the fact that the clear majority of their business applications are at some degree of risk. Despite this, many still weigh up security as a risk vs cost exercise. 

If the perceived cost of finding and addressing a vulnerability is too high, they will often choose not to. This can be spectacularly shortsighted, particularly when the cost of reputational damage and data loss is factored into the equation.
Members of the senior leadership are ideally placed to change the way an organization’s DevOps and security teams approach software. Whether outsourced, purchased or developed in-house, nearly every piece of software is typically introduced with functionality and time-to-market as the top priorities. 

But if teams aren’t given the time they need to integrate new software properly, chances are they will end up introducing new security flaws at the same rate as older ones are being rectified; not an ideal situation.

If executives want to truly understand and protect against the security threats faced, they must invest the time needed to get to grips with their entire application landscape. 

Analytics can be used to help identify and prioritise the most business critical applications. Next, they must ensure the organisation’s security professionals have the tools they need to find vulnerabilities, while making sure development teams are held accountable for application security before they’re allowed to disengage from projects.

DevOps
When it comes to application security, the DevOps team have the hardest job of all. Actionable vulnerability data is rarely available during actual development cycles, meaning many security flaws only surface once an application has already gone live. 

Furthermore, due to time constraints imposed by senior leadership, DevOps teams are often confined to conducting security assessments at the last minute, just prior to release, which is far too late in the day to be effective.

DevOps teams need to work closely with security professionals and senior leadership to build security into the entire development lifecycle. Moving to a continuous integration process can help with this, as can the use of both dynamic scanning and source scanning throughout the development and implementation phases. It’s also the role of DevOps to demonstrate to senior leadership that a slightly longer development phase is far more preferable to repeating the entire process multiple times due to vulnerabilities only being discovered after release. However, this is only possible if both DevOps and security professionals can communicate effectively up the chain of command, without fear.

Delivering effective app security in today’s business environment can be extremely challenging. In order to achieve it, teamwork and communication throughout the command chain are both critical, so that the different groups involved can understand the various challenges and drivers faced at each level. 

From the business continuity and time-to-market concerns at the senior leadership level, to development and implementation issues within the DevOps teams, striking the right balance between everyone is the key to truly effective app security.

Information Management:        Image: Nick Youngson

You Might Also Read:

Cybersecurity Is A Job for CEOs, Not Just The IT Team:

Strategies For A Cyber Security Culture (£):

« IBM’s AI Can Argue With Humans
Cybersecurity Issues For Open Banking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

Claroty

Claroty

Claroty was conceived to secure and optimize OT networks that run the world’s most critical infrastructures.

IdenTrust

IdenTrust

IdenTrust enables organizations to effectively manage the risks associated with identity authentication.

Tevora

Tevora

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

Procsima Group

Procsima Group

Procsima Group was created to help you achieve good IT management and security excellence.

NGS (UK)

NGS (UK)

NGS (UK) Ltd are independent, vendor agnostic, next generation security trusted advisors, providing all-encompassing solutions from the perimeter to the endpoint.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

National CyberWatch Center - USA

National CyberWatch Center - USA

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

Axur

Axur

Discover and eliminate digital fraud and risks on the web. Utilize Axur’s entire AI potential, along with thousands of bots dispersed throughout the surface web as well as the deep and dark web.

UTMStack

UTMStack

UTMStack is a Unified Security Management system that includes SIEM, Vulnerability Management, Network and Host IDS/IPS, Asset Discovery, Endpoint Protection and Incident Response.

Pires Investments

Pires Investments

Pires is building an investment portfolio of high-tech businesses across areas such as Artificial Intelligence, Internet of Things, Cyber Security and Augmented/Virtual Reality.

Protect AI

Protect AI

Protect AI is a cybersecurity company focused on AI & ML systems. Through innovative security products and thought leadership in MLSecOps, we help our customers build a safer AI powered world.

CertNexus

CertNexus

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for business, data, developer, IT, and security professionals.

Sectricity

Sectricity

As independent ethical hackers, Sectricity go beyond traditional security, uncovering every vulnerability - testing both systems and employees to eliminate weak spots.