With everything on a CISO's plate, preventing and reacting to external attacks has usually been done on a contingency basis, with a reliance on existing security to keep hackers away and the hope that a directed attack doesn't occur.
But today, a majority of security professionals expect their businesses will be hacked in the coming year. That means CISOs have to change their approaches to security, anticipating events rather than waiting to react to them. What's more, they have to understand the increased importance of secure coding for every aspect of their overall security solutions.
Hackers and thieves remain undeterred by all the advances that have been made in IT security over the past few years. A new report from CyberEdge Group, detailed in this Dark Reading article, found 70 percent of organizations experienced a successful cyberattack last year; of those, 22 percent experienced six or more attacks.
These kinds of numbers have led a large portion of the security industry to believe attacks are inevitable. The report also found 52 percent of respondents expect to be the victim of an attack in the coming year, an increase of 13 percentage points from the same question asked in last year's survey. With a jump this significant, the report authors expect next year's number to be even higher.
This marks what could be a tipping point within the information security world, where most professionals now believe attacks to be inevitable. For many, InfoSec remains a competition against auditors, where the security infrastructure and processes are built to pass a security audit or gain compliance with a standard, rather than with threat actors in mind. These processes may have been effective years ago, when the possibility of an attack was low, but it simply isn't enough in the modern world of cybersecurity.
There's no doubt security audits and InfoSec standards are an important part of an overall security program, but the inevitability of attacks means CISOs have to focus more on the actual, current methods that attackers are using, rather than on checklists built using the methods of yesterday's attacks.
With so many access points in an enterprise network, it can be difficult for CISOs to determine where to start, but there are some signs on where attackers are focusing their efforts. According to the 2013 Global Information Security Workforce Study, 69 percent of security professionals claimed application-layer vulnerabilities were primary threats to their organizations. A similar report from SANS found that despite this fact, only 10 percent of organizations secure their business-critical applications before and during production. For many IT leaders this represents a significant opportunity to secure their organization.
The first problem for CISOs is that there can be thousands of applications being built and used across the enterprise. Injecting secure coding practices into all these processes can be a monumental task — but not if it's done intelligently.
CISOs have to find security partners with experience in securing the application layer. This will allow secure coding practices to be injected in the earliest stages of the design process. The best practices and scans can be rolled out to a single development team first, to help iron out the process that best fits the specific organization, and then quickly scale up to the rest of the developers using the power of the cloud.
The second major problem facing CISOs is the amount of third-party code they have to deal with. This includes outsourced development, third-party integration points, open-source aspects of the systems and even code snippets utilized by in-house developers. While third-party code should go through the same security processes as in-house apps, this can be complicated when CISOs don't have access to the actual source code used.
To tackle this problem, there needs to be a comprehensive scan of the binary code, a service offered by some security specialists. This scan will run in an off-line state, working through code to find potential vulnerabilities that an active scan might miss, providing peace of mind regarding the security strength of applications built outside of the internal software development lifecycle.
These small steps will provide a level of security that can match the capabilities of most modern hackers. Often, successful attacks aren't sophisticated, and just having some level of application security that covers vulnerabilities (such as the OWASP Top 10) will be enough to send attackers elsewhere. Given the inevitability of attacks against the enterprise, application security simply must be a priority for enterprise CISOs.
Photo Source: Flickr