Scaling up a corporate security department can be an exercise in futility. These organizations need to cover multiple areas of expertise, from classic IT security to physical security, compliance, regulations, secure coding, incident handling and legal/privacy, all while facing the need to run lean.
The reality is that security is becoming more than an engineering exercise. Culture and education of security is a necessity in a modern organization. Without it, we are bound to fail. Over the past year, I have focused on keeping a small and lean security organization, all the while evangelizing a security champion program to spread and, most importantly, live the mission.
Through this program, we channel our champions into “front-line support” on everything related to security. These advocates know their businesses better than any of my security engineers could, and they are deeply embedded in their organization’s culture. And, as a result, they can provide the best context for security decisions. Our role is to equip them with our services and security expertise.
I’ve been on the front lines running (and also challenging) security organizations for years. During this time, I’ve experienced firsthand how the push and pull of scaling a security team manifests itself. Pull toward one side (try to focus your resources on an “emerging” or “critical” issue), and you end up exposing the other (less pertinent issues or technologies). Hiring more security staff doesn’t scale, as the areas that need coverage will almost always be exponentially larger.
Equip Your Teams
However, what if more of that “uncovered” area had appropriate security expertise in it? What if you could lower the attack surface in a systematic manner across the organization -- not through buying more tools and products, but through going deeper into the root cause of those problems and addressing them by creating champions out of the resources and people at your disposal?
Let’s consider Verizon’s “2019 Data Breach Investigations Report (DBIR),” which analyzed 41,686 security incidents (among them, 2,013 were confirmed data breaches). The report shows that web applications are the top breach target for hackers. This means that addressing vulnerabilities and exposure in web applications brings a significant return on investment compared to other areas of focus.
Equipping development teams with the knowledge and skills to identify and address security issues through the application development life cycle has been around for decades -- secure software development life cycle (SDLC) methodologies. Yet, it is still a major investment.
Consider Your Code Quality
I’ve yet to see an SDLC implementation that was simply taken “off the shelf” and applied to an organization. It takes time, an understanding of how development works in your organization and collaboration from the development teams. However, more than anything, it’s about code quality, not just a pure security play. Less breakable code, no matter if it is security-focused or performance-focused, is better code. Period.
In every implementation of an SDLC that I’ve had a chance to work through, I’ve always partnered with development stakeholders to ensure that, at the end of the day, developers get more tools and knowledge to improve their code. And they end up more receptive to those efforts because it’s about the work they do, and not a security measure forced down their throats. Take a hard look at how your development outputs affect your attack surface and the impact that a code improvement can make to your risk exposure.
Before throwing expensive “it was on the best-practice list of tools to deploy” products into your budget or hiring another couple of security engineers, consider how a strong security champions program and a reframing of the problem at hand can deliver the most return on investment.
Article provided by Partner On and Frobes.com.