Three Simple Steps To Effective Cybersecurity

The cybersecurity landscape can be difficult to navigate. From the outset, it can seem like a crowded place, with countless cybersecurity providers offering what appear to be incredibly similar solutions. There’s also the question of outsourcing vs in-house cybersecurity and the ramifications that accompany each choice.

Even once these details have been ironed out, there are a multitude of different factors which must feed into an organisation’s cybersecurity strategy.   

As each organisation is unique in its IT infrastructure and tech stack, it’s understandable that each one would need to take a nuanced approach to cybersecurity. Despite this, there are three key steps that I’d recommend all organisations follow if they are to ensure effective cybersecurity protection.  

1.    Shift left – Invest In DevSecOps 
Security teams often don’t have enough control over the app development life cycle. Companies are buying capabilities from hyper-scalers and cobbling together apps with open source, but they’re not thinking about the seams between widgets and frames. These organisations need a set of policies that are established and implemented as code. 

By leveraging DevSecOps, organisations can ensure that security is incorporated far earlier into the software lifecycle development process and is also a shared responsibility throughout the entire IT stack. Security should be considered a priority from day one, by everyone from the C-Suite down to the developers writing the code. 

In fact, developers are key to maintaining security throughout the software delivery lifecycle. Their approach to security must be consistent, meaning that it should be built into every line of code that’s written.

Providing developers with the relevant training, as well as open lines of communication with the security team are the key ingredients needed to enable this. 

2.    Shift right – Prepare To Recover
Understand what your business-critical systems are and assume you will get hacked. How long can you afford to be down? And where will you pull back good, known data and system configuration? Think within the context of where your data and services are and how to bring them back up again in the order of priority that they need to be recovered. 

Though investment in prevention measures is still essential, it’s naïve to imagine this will be 100% effective. No cybersecurity solution is perfect as there will always be vulnerabilities. The conversation has moved past “how do we prevent an attack?” to “how do we survive?”. As a result, it would be foolish not to also implement a strong recovery process. 

3.    Level up – Simplify In The Middle
It’s not uncommon that organisations inadvertently acquire a convoluted or mismatched set of cybersecurity solutions. This is easily done as new tech may have been hastily adopted in a reactive manner following a breach. Alternatively, security technology is often sold by vendors as part of technology packages that include a number of other capabilities. Therefore, it may not have been directly selected and purchased by the CISO. As a result, they may inherit a disconnected security stack made up of different technologies that only target single or narrow use cases.

An organisation is unlikely to be receiving the very best cybersecurity protection if its stack is built upon a non-complementary set of tools and services. 

Building a more resilient IT infrastructure is key to securing the overall organisation. It starts with a focus on the integrating of (often a plethora of different) tools and technologies and the overall outcome, rather than fixing issues on a case-by-case basis. The easiest way to integrate different technologies in a tech stack is to simplify it. CISOs need the opportunities to conduct a thorough ‘spring clean’ of their tech stack closet. Throughout the process, they must identify the key capabilities of the organisation – everything beyond this can go. 

Maintaining a healthy cybersecurity posture is not an easy task as cyber attackers are consistently becoming more sophisticated and elaborate in their methods. However, it’s by no means impossible. By following the principles outlined above, cybersecurity professionals can support a vigilant and agile approach at all times. 

Allen Downs is Vice President, Security and Resiliency Services at Kyndryl

You Might Also Read: 

How To Optimize The DevSecOps Pipeline:

 

« The NSA Hacked Huawei Long Ago
Containers Are Temporary, But Container Data Is Not »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Solarflare

Solarflare

Solarflare is a leading provider of intelligent networking I/O software and hardware platforms that accelerate, monitor and secure network data.

TZ-CERT

TZ-CERT

TZ-CERT is the National Computer Emergence Response Team of Tanzania.

Anomali

Anomali

Anomali delivers intelligence-driven cybersecurity solutions to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

CERT.LV

CERT.LV

CERT.LV is the national Computer Emergency Response Team for Latvia.

Software Factory

Software Factory

Software Factory develops custom-built high-performance software solutions and products for applications including industrial cyber security.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

OCM Business Systems

OCM Business Systems

OCM are experts in the safe, secure and responsible disposal of IT & EPoS assets.

Center for Cyber & Homeland Security (CCHS)

Center for Cyber & Homeland Security (CCHS)

The Center for Cyber and Homeland Security at Auburn University is a nonpartisan think tank that works to develop innovative strategies to address current and future threats to the United States.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity. The leading Risk Assessment Platform for Critical Infrastructure.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Prophaze Technologies

Prophaze Technologies

Prophaze enable organizations and SaaS providers to improve their web application cybersecurity and reduce costs through AI automation.

VulnCheck

VulnCheck

VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

Ark Technology Consultants

Ark Technology Consultants

Ark Technology Consultants is a unique IT Services Firm which blends technology solutions with consultative insight around governance and process management.