This month marks the 17th anniversary of National Cybersecurity Awareness Month (NCSAM), a joint effort between industry, government and the public to raise awareness about the importance of keeping sensitive information safe and secure online. Sixteen years is a long time. If NCSAM was a teenager, it would be allowed to drive in most states! And like proud parents of teenagers everywhere, we are both amazed at how much has changed to encourage a culture of shared security responsibility and concerned about the process of maturity still on the horizon.
The theme of NCSAM’s 2020 campaign is “Do Your Part. #BeCyberSmart,” recognizing that the line between online and offline is essentially no longer distinguishable. It focuses on accountability and proactive behavior, with an emphasis on the key message for 2020:
So this Halloween season, we’re exploring the deepest, darkest corners of cyberspace in our NCSAM blog series. From cyber spooks and digital demons to deathly data breaches and compliance concerns, many of the risks we face today can be vanquished by some good-old-fashioned vigilance and know-how.
When Security Makes You Scream
What was one of the most egregious corporate cybersecurity sins of the past year? Tales of hyper-growth, where organizations amass troves of sensitive customer information but still manage to leave security programs behind and vulnerable. Stories of complicated vendor ecosystems, hidden application vulnerabilities and incomplete security oversight have left users trembling. We know insider threats are the worst. This is particularly true as teams, laser-focused on speed, adopt new tools in an autonomous and localized way, causing shadow IT to proliferate across digital environments outside of security’s control. As we know, a well-intentioned developer using an unsanctioned tool to get work done faster is still a potential threat.
Perhaps most horrifying are stories of companies and people choosing to ignore warning signs, skip important security steps in the name of speed, sweep data breaches under the rug or give up on cybersecurity all together—without considering the consequences. Too many of these stories involve software security shortcomings. The time is now to rethink the approach—to think more holistically. We can’t continue to bolt on new, (but myopic) tools that don’t communicate or collaborate while adding new burdens atop already overburdened security teams. It’s an unsustainable recipe for disaster that will ultimately crush your competitive edge and leave you alone in the dark. A modern era requires a fresh mindset and a more unified, centralized approach to security, one that bridges the cultural gap between AppSec and DevOps with a more collaborative mindset.
What’s Keeping Cybersecurity Pros Up at Night
In the rush to digitally transform, organizations are moving workloads to the Cloud, adopting new technologies and expanding third-party networks to enhance their offerings like someone is chasing them. AppSec professionals are struggling to even keep track of the assets they need to secure, let alone effectively secure them. Without a clear and comprehensive view of risk, they’re constantly looking over their shoulders, ready for an unnamed but always looming threat to emerge from the shadows. Making matters worse, since speed is the name of the game, software is developed and shipped faster than ever before—often at the expense of proper security.
There are new and emerging threats that keep organizations up at night—such as growing attacks on popular open source programming libraries. As organizations of all sizes embrace CI/CD and agile methodologies, their reliance on open source code grows. Yet despite its many benefits, open source presents new and frightening risk to enterprise security in the form of rampant unpatched software vulnerabilities. Unlike commercial software that can be automatically patched and updated, open source users must keep track of vulnerabilities and manage their updates manually. Given the ubiquity of open source, this is a truly scary and daunting task for security teams. Tools that can orchestrate and automate the discovery of software bugs, flaws and vulnerabilities across open source components, applications and infrastructure can help teams enhance application security and significantly improve programs—while embracing open source with confidence.
What Nightmares Are Made Of
If you do end up falling asleep at night, these stats are sure to haunt your dreams. In the U.S. alone, over 300,000 cybersecurity positions remain open, prompting a top DHS official tasked with protecting critical infrastructure to recently declare the shortage a “national security threat.” Forced to fill the gaps and juggle an ever-expanding set of disparate tools, security teams are overworked, overtired and overstressed.
It’s time to take on the monster in the room by shifting from awareness to action. Prioritize your people by creating a culture of well-being that emphasizes self-care and work-life balance, providing in-house education and doubling down on cybersecurity recruiting efforts to find the right people to help lighten the load. But don’t stop there. Commit to new approaches that automate and orchestrate processes and empower your security team to scale and amplify their efforts—without adding complexity or sacrificing speed.
Zinger Halloween Tips for the Cybersecurity Mind
To stay on the right path, security must remain at the forefront of conversation and play a role in all business decisions. To do this, security leaders must change their approach to communicating with executive teams and boards, moving away from scare tactics and F.U.D. (fear, uncertainty and doubt) to speaking the language of the business. This means building a strong case by focusing on business value and outcomes, creating a strategy that aligns with business goals, implementing frameworks to better quantify business risk in dollars and cents (i.e., the FAIR model) and devising a realistic roadmap with defined milestones and metrics.
Don’t try to outrun the bogeyman by cutting corners and choosing speed over security and compliance—particularly when it comes to securing the dynamic software development life cycle. Conversely, don’t get scared stiff and end up with “analysis paralysis.” Focus on the fundamentals first. Are you following basic cybersecurity hygiene practices, such as patching software, managing new installs, changing passwords, limiting users, backing up data and employing a cybersecurity framework to protect your applications and infrastructure? Embrace DevSecOps by aligning security, operations and development teams to collectively identify and prioritize risks, tackle the most critical first and then expand to new areas over time. Remember—cybersecurity is an ongoing journey, not a final destination.
Stay safe out there, cybersecurity comrades, for the night is dark and full of terrors.