/dec 18, 2015

What Causes An Information Security Program to Fail?

By Pierluigi Paganini

Most successful, high-profile security incidents are caused by the failure of an information security program. In many cases, the exploitation of a vulnerability in an application is the root cause of major attacks.

In recent years, the number of successful cyberattacks has been consistently increasing, and data breaches represent a large percentage of these offensives. More than one-third of security violations are carried out by exploiting applications as an attack vector, but organizations aren't assuming the proper security posture to prevent such attacks.

The Risks of No Policy Enforcement

One of the main reasons information security programs fail is a lack of policy enforcement. The increased awareness of cyber threats has a significant impact on organizations; in the majority of cases, companies understand the necessity of efficient security policies and procedures. Unfortunately, organizations often fail to enforce them. A recent survey by the Ponemon Institute reveals that US companies often have the right security policies, but aren't able to enforce them, exposing their assets to cyberattacks. Forty-four percent of the US companies surveyed fail to enforce security and data privacy policies, and 34 percent report they enforce those policies in only some cases.

Securing every application used by an organization is a "mission impossible" for most companies. The application landscape is very complex, so it's essential to implement information security programs that consider applications to be living elements that evolve over time. The continuous evolution of software should be reflected in security policies.

Unfortunately, security policies can generate a false sense of security if companies don't enforce them. Security policies set expectations, defining roles and responsibilities for each actor in the organization. When assessing application security, policies establish what is and isn't permitted. The enforcement of security policies has to be directly connected to the consequences of not adhering to them, and it's important to clearly define these consequences.

Why Risk Reduction Relies on Expertise

Another common cause of information security program failure is the limited availability of risk reduction expertise. Cyber threats are becoming more complex and aggressive, and companies need the right expertise to mitigate them and make applications more resilient to cyberattacks.

Discovering security flaws is important, but being able to estimate the associated risk to the business is essential. Companies need to have the expertise to find security issues and to estimate the severity of all the related risks of exposure.

The lack of the right expertise can result in a considerable waste of energy, and the risk of allocating resources to flaws with a low impact on the organization's operations. Get expert advice to prioritize security risks and focus your efforts to ensure that the business isn't impacted by cyberattacks.

How Built-In Security Culture Leads to Success

Security training and awareness are the pillars of an effective information security program. However, one of the greatest obstacles to a successful security program is the absence of a built-in security culture. The lack of a built-in security culture leads organizations to perceive cybersecurity as an additional cost to reduce. The right approach to application security requires additional resources, including internal personnel, hardware and tools. Unfortunately, the cost of additional resources often doesn't fit in the limited security budget.

Organizations often ignore the fact that the chances of experiencing an expensive breach are high, and never compare the cost of cybersecurity to the potential losses of a cyberattack until it's too late. Companies inevitably spend more recovering from a security breach than they would have on bolstering application security.

Another common mistake related to the lack of a built-in security culture is to consider the application landscape too complex for an application security program. Many organizations don't try to assess their applications, and business-critical applications are often delegated to third-party providers, a choice that doesn't ensure higher security. These organizations tend to consider third-party software free of bugs, giving them the false sense that they don't have to worry about application security.

A company without a proper security culture tends to consider application security activities a waste of time. But if application security isn't included by design in software development, its impact on the software lifecycle is significant.

Application security is now a pillar for companies operating in any industry. Software is everywhere; every business runs on software and underestimating the related risks is dangerous. Rather than relying on application security assumptions, organizations need to take action toward a comprehensive information security program.

Learn more about why application security programs fail

Related Posts

By Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, Editor-in-Chief at "Cyber Defense Magazine," a member of the DarkReading Editorial team, and a regular contributor for major publications in the cyber security field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, and The Hacker News Magazine.