In today’s security world, resources are like gold. The skilled people and technological tools, not to mention the money it takes to keep them running, are critical to keeping business afloat—and yet, they are often in short supply compared to the ever-growing demand for better performance. And because driving productivity and efficiency remains the goal—without sacrificing security, of course—it is essential that CISOs find new ways to squeeze the most out of every dollar they have; otherwise, valuable resources and precious opportunities are lost. As a result, it is more important than ever that decision makers and executives within an organization continue to look for creative, smart ways to maintain the vision and strategy of their work while still keeping a practical eye on security resources.
The objective of how to drive productivity and efficiency across a security organization brings up a lot of questions, many of which do not have simple answers. But any CISO worth their salt must understand how to address them with education, pragmatism and a solid dose of creativity. The first step in the process is not to ask questions, but to ask the right questions, ones that will lead executives and their teams towards solutions and tools that work. Here are just a few to consider:
Are you gaining cost and resource efficiency from your tools?
If the answer is no, it’s time for a mental update and some new strategies for securing your business. With regards to AppSec tools—and all security efforts, for that matter—it’s important to “practice what you preach,” which means you should have the ability to do more than just run a scan on your system; you should have continuous auditability on all the activities your value streams are conducting, including each of your development pipelines. This level of visibility into the pipeline offers information that is accurate, immediate and tailor-made for board or compliance reporting.
Equally as important, the avalanche of information produced through the scan process should not hinder efficiency, but rather, make correlation, normalization and centralization easier—otherwise, it cannot be properly scored and prioritized to your organization’s risk model, as well as to industry standard means. As CISO, you should be able to say, “Great, these pipelines are applying these controls and here is the data that was generated as a result.” If you currently do not have this level of control over your operation metrics, it’s entirely possible you are not getting what you need from your scan tools—and more importantly, your security posture is not improving.
How can I gain the most productivity from my teams?
Even the most cross-functional organizations are structured into teams and business units. And when it comes to security teams, most would say they have more to do than they have time to do it. This means they need to complete tasks in a way that impacts their organizational goals without wasting time or resources. Security teams should be working with a clear sense of priorities and how their work affects the overall posture at any given moment, which means they need information, visibility and control at their fingertips. Deployed artifacts and their operational behaviors must be tied back to the pipelines, code bases and people that created them. This allows Dev and Ops to truly form DevSecOps because they are able to conduct a more meaningful and accurate conversation about how to mitigate risk. Putting information and control back in the hands of your teams means less overhead from a management standpoint and more operational ease.
How can you address vulnerabilities that create risk?
On average, about 10 percent of detected vulnerabilities are actually remediated. This means looking at security holes with the know-how to address them is critical. Although vulnerability management can sometimes feel like a hopeless endeavor, there are a few key strategies for assuming the most effective “risk-based approach” possible. First, prioritize and assume a more holistic view. Vulnerability discovery tools are often highly fragmented, as each focuses on a sliver of the stack, host network, software, OSS or container security, which means there’s more action to be taken on the part of executives.
- Cut out the junk. Make sure your vulnerabilities tools are not reporting a ton of security issues that don’t really matter!
- Normalize finding scores. The Common Vulnerability Scoring System (CVSS) offers a way to capture the main characteristics of a vulnerability and produce a numerical score indicating severity. Supporting CVSS means collecting scoring input from findings and asset information provided by tools that are not the same and working in different phases of the SDLC.
- See it all. Gaining a holistic view of risk involves more than just correlating SAST and DAST results, primarily because each discovery technique only finds about 5-20 percent of existing vulnerabilities. By tracking software and infrastructure through their lifecycles, while collecting and relating vulnerability discovery data, organizations can find a holistic view with context of the full application and its operating environment.
- Have proof of remediation. Confidence comes from knowing your security issues have been identified and addressed at the pace of business, something every CISO can appreciate.
As CISO, your position is vital to the security and success of your business. While this role was once defined pretty narrowly, digital transformation in just the past five years has pushed this role from one of security administration to high-level risk management. And the time is now to assume these evolving responsibilities with renewed vigor and knowledge.