Effective Data Security Is A Team Effort

Effective data security is a fundamental requirement for every business today. In the past, the responsibility for achieving it was often laid firmly at the door of the IT team, but today, data security requires close communication between many different internal teams.

The central tenet of any effective security program is the ability to communicate up and down the command chain quickly and effectively, but this isn’t always easy to achieve. 

With more and more business taking place online, vulnerabilities in web applications are becoming increasingly problematic. The ability to identify and resolve issues fast can make the difference between keeping attackers out and potentially suffering significant data loss. Yet all too often, it is issues between parties within the command chain that slows down response times and prevents efficient security practices.

According to recent research, the average time it takes for critical website vulnerabilities to be found and remediated is 300 days, meaning the window for exploitation is significant. 

Closing these windows as fast as possible should be a top priority for every business, so how can the three key parties within the app security command chain (security professionals, senior leadership and DevOps) work together to speed up the security process and protect the organisation more effectively?

Security Professionals
The benefits of any application security program being fully realised without the direct involvement of the application development team is extremely low.  Security professionals have the unique opportunity to evolve the application security program by balancing risk, organisational maturity and business goals. 

Security data and analytics should be a security professional's best tools to drive and eventually evidence overall improvement in an organisations application security posture.
Using industry remediation rates as a baseline for improvement is a good way to enhance an organisation’s security posture, but it can be easier said than done. Few security professionals have the authority or power to directly influence the security of web applications under development in the DevOps team. 

As such, they need to skillfully position themselves as key development partners, using their knowledge of security analytics to add value to the process. Effectively doing so will allow them to ‘influence without authority.’

At the other end of the chain, it’s critical for security professionals to also keep the senior leadership team abreast of key events and developments taking place. Doing so will help to minimise any pressure from executives that feel out of the loop, while ensuring any pre-agreed timetables are met.

Senior leadership
Senior leadership teams across all industries must accept the fact that the clear majority of their business applications are at some degree of risk. Despite this, many still weigh up security as a risk vs cost exercise. 

If the perceived cost of finding and addressing a vulnerability is too high, they will often choose not to. This can be spectacularly shortsighted, particularly when the cost of reputational damage and data loss is factored into the equation.
Members of the senior leadership are ideally placed to change the way an organization’s DevOps and security teams approach software. Whether outsourced, purchased or developed in-house, nearly every piece of software is typically introduced with functionality and time-to-market as the top priorities. 

But if teams aren’t given the time they need to integrate new software properly, chances are they will end up introducing new security flaws at the same rate as older ones are being rectified; not an ideal situation.

If executives want to truly understand and protect against the security threats faced, they must invest the time needed to get to grips with their entire application landscape. 

Analytics can be used to help identify and prioritise the most business critical applications. Next, they must ensure the organisation’s security professionals have the tools they need to find vulnerabilities, while making sure development teams are held accountable for application security before they’re allowed to disengage from projects.

DevOps
When it comes to application security, the DevOps team have the hardest job of all. Actionable vulnerability data is rarely available during actual development cycles, meaning many security flaws only surface once an application has already gone live. 

Furthermore, due to time constraints imposed by senior leadership, DevOps teams are often confined to conducting security assessments at the last minute, just prior to release, which is far too late in the day to be effective.

DevOps teams need to work closely with security professionals and senior leadership to build security into the entire development lifecycle. Moving to a continuous integration process can help with this, as can the use of both dynamic scanning and source scanning throughout the development and implementation phases. It’s also the role of DevOps to demonstrate to senior leadership that a slightly longer development phase is far more preferable to repeating the entire process multiple times due to vulnerabilities only being discovered after release. However, this is only possible if both DevOps and security professionals can communicate effectively up the chain of command, without fear.

Delivering effective app security in today’s business environment can be extremely challenging. In order to achieve it, teamwork and communication throughout the command chain are both critical, so that the different groups involved can understand the various challenges and drivers faced at each level. 

From the business continuity and time-to-market concerns at the senior leadership level, to development and implementation issues within the DevOps teams, striking the right balance between everyone is the key to truly effective app security.

Information Management:        Image: Nick Youngson

You Might Also Read:

Cybersecurity Is A Job for CEOs, Not Just The IT Team:

Strategies For A Cyber Security Culture (£):

« IBM’s AI Can Argue With Humans
Cybersecurity Issues For Open Banking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Aves Netsec

Aves Netsec

Aves is a deceptive security system for enterprises who want to capture, observe and mitigate bad actors in their internal network.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

NT Cyfence

NT Cyfence

CAT Cyfence is the IT Security services business unit of CAT Telecoms.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Cycuity

Cycuity

Cycuity (formerly Tortuga Logic) is a cybersecurity company that is transforming the way we secure silicon with comprehensive hardware security assurance.

Swarmnetics

Swarmnetics

Swarmnetics helps customers discover hard-to-find software vulnerabilities by hacking your system before the bad guys do.

Tetra Tech

Tetra Tech

Tetra Tech is a cybersecurity leader with extensive experience in supporting enterprise-wide programs and systems across multiple business lines from industrial control systems to health IT.

Cado Security

Cado Security

Cado Security is pushing digital forensics, and cyber incident response to the next level with an incident response software platform and specialist consulting services.

Digital Boundary Group (DBG)

Digital Boundary Group (DBG)

Digital Boundary Group (DBG) is an information technology security assurance services firm providing information technology security auditing and compliance assessment services to clients worldwide.

Dataprise

Dataprise

Dataprise is a leading IT managed services provider offering IT Management and Help Desk Support Services, Cloud Services, Information Security Solution, IT Strategy and Consulting.

NANDoff Data Recovery

NANDoff Data Recovery

NANDoff is a flat rate data recovery service. We serve the electronics industry around the globe 24/7.

Schneider Downs

Schneider Downs

Schneider Downs & Co. provides accounting, tax and business advisory services through innovative thought leaders who deliver their expertise to meet the individual needs of each client.

TatvaSoft

TatvaSoft

TatvaSoft is a custom software development company delivering business IT solutions and related services to customers across the globe.

North Green Security

North Green Security

North Green Security is a UK-based cyber security training and consultancy company.

QEDIT

QEDIT

QEDIT is leading the standardization of Zero-Knowledge Proofs through the ZKProof.org Workshops, and builds production-grade ZKP systems for blockchain.

Mercury Systems

Mercury Systems

Mercury Systems is the leader in making trusted, secure mission-critical technologies profoundly more accessible to aerospace and defense.