fbpx

These 4 Tips Will Make You Fluent in Cyber Risk

DevSecOps

Publish Date

Nov 25, 2019

Written by

ZN Logo for Blog

ZeroNorth

Tagged with

  • DevSecOps

Understanding the Security Gap

According to a recent report by the Advanced Cyber Security Center, 91% of organizations say their boards believe cybersecurity presents some level of business risk. However, 64% of those respondents also agreed the role of their company’s board in digital transformation initiatives is an early-stage or maturing partnership. These numbers highlight a significant gap and demonstrate just how far many companies have to go to reach a full partnership, a finding also echoed in a recent survey by ZeroNorth.

The ACSC defines this relationship as being “well-versed in the digital agenda, cyber risks and priorities; informed about the overall IT and related investments required to move to next generation; the state of more secure systems and provides valuable feedback in their meetings with you.”

With cyber risk clearly on their minds, the question is, why are these companies slow to build a risk-aware culture? Certainly not because top executives aren’t tech-savvy. In fact, the 2018 Digital Transformation Index from Futurum Research found that almost half of companies report their digital transformation initiatives are, in fact, being led by the CEO or board of directors. So, it’s not a leap to assume these businesses understand the cybersecurity impact of digital transformation on their overall security and risk posture. What they may need is a reminder of the four key things necessary in closing this gap and building a transformative culture equipped to proactively manage cyber risk…

1. Create a consistent, organization-wide cyber risk framework.

Cyber risk, no longer contained within the IT realm, can hide almost anywhere in a digital organization, creating security vulnerabilities and regulatory compliance problems. That’s a lot of systems and data scattered across the company to monitor and protect. And, in many cases, there may even be different controls in place for different teams, functions and locations. Even if you could 100% bulletproof one part of the business, customers and the world at large won’t care if a breach happens in a different area.

Remember, the key to implementing consistent and comprehensive controls across an organization doesn’t require a complete overhaul or militant deployment of one single tool or approach—both are impractical. Instead, organizations need to create a standard framework for understanding and managing application and infrastructure risk throughout the organization. Rather than ripping and replacing, this effort is about orchestrating controls, providing visibility into vulnerabilities and maximizing required remediation. A standard cyber risk framework creates a consistent “language” that enables everyone across the enterprise to understand, communicate and address security and compliance risks.

2. Provide real-time visibility into cyber risk.

To manage cyber risk, you must be able to see it. Once a standard cyber risk framework is in place, a closed-loop process for discovering, prioritizing and remediating vulnerabilities in a timely manner is critical. Because IT and development architectures are complex—particularly where microservices are being used in a lightning-fast environment of innovation—“timely” means in real time.  And visibility has to be provided to the right people at the right time. Development and IT teams need granular details to investigate and address issues within their purview; risk managers must be able to validate remediations made across the board and executives and boards demand a strategic view into the overall security posture and risk profile of their organization.

3. Integrate—don’t layer on—security across operations.

Many organizations have adopted a DevOps model to increase ability and flexibility while accelerating time to market, both of which are critical for supporting digital transformation. But security and risk can’t be considered a separate component of the effort—they must be fully integrated across the entire DevOps process. This type of secure DevOps, or DevSecOps, approach enables organizations to fuel innovation while still treating cyber risk as a priority. Again, orchestration is one of two key components to integrating security and risk controls in DevOps workflows without creating additional complexity or delays.

4. Automate.

The second key component to agile DevSecOps that support delivery timeframes is automation. Continuous innovation and continuous delivery (CI/CD) require continuous application and infrastructure testing—and that testing is labor-intensive. Adding to the challenge is the fact that the different tools you employ across different parts of the business work differently and have their own way of categorizing and presenting results. Collecting, consolidating and correlating that data adds further delays and can even introduce errors into the process. When automation is combined with orchestration, DevSecOps can scale vulnerability testing across the entire enterprise to speed execution and centralize management of the disparate testing tools, thereby reducing complexity.

Factor Cyber Risk into Your Digital Transformation Efforts

Digital transformation can bring big business rewards, but it also increases your cyber risk; it’s just a fact of life. So, if digital transformation is a strategic, executive or board-level initiative at your company, then cyber risk must be a strategic, executive and board-level concern that’s operationalized throughout the entire organization.


eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now

Videos

Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

DevSecOps

When DevOps as a Service Meets Security

By Joanne Godfrey Jul 20, 2021

DevOps is one of the latest IT methodologies to be offered ‘as a Service’. With DevOps as a Service (DaaS), all tasks related to selecting, managing ...

Read More

Vulnerability Correlation

What is Application Vulnerability Correlation and Why Does it Matter?

By ZeroNorth May 28, 2021

As applications become more complex, and attack vectors grow more sophisticated, the critical importance of comprehensive software security testing emerges. These days, application testing has become ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.