It is a fact that the digital landscape in most organizations, big or small, follows the technological equivalent of a shantytown: a crumbling collection of technology purchases (hardware, applications, cloud services, and more) that looked like a great approach to someone at the time.
Perhaps some acquisition plans were taking place (probably not), but you can almost ensure that whatever security requirements were clarified, they were somewhat mitigated, abandoned, or both.
The truth is that security-by-design is the most efficient, productive, and acceptable position for any enterprise… if you can get there and if you can get your organization to see the bigger picture. Unfortunately, the situation most security professionals find themselves in is the digital equivalent of restroom cleaning:
“Can you only add security to this set of things that we had previously opened, without using too much of a break for business works breaks?”
That query should not have an answer – but it is difficult to discuss why the answer is no when the only other option is available to the company.
How do you get a company to at least work for security at least tomorrow?
As someone who has successfully dealt with this problem many times (and has failed on many occasions), my purpose in this article is to share the three best tips I can give to any organization out of technical slums Ka may offer to lead to more sanitary. And engineer security-by-design future.
Tip 1- You need to be a true believer yourself.
Do you know that the best protection can be reached only when it is embedded from cradle-to-grave for every technology or value an enterprise uses?
If you do not trust it, then you need to clear your misconceptions.
Here’s a sample of security-by-design work: Think of the moment when the Mirai DDoS attack caused the failure of various Internet of Things (IoT) firms, and million-dollar outlays for others. There is a security lapse in the attack: that companies whose devices have been tampered with did not understand that shipping the device with the default username and password would be an issue. Mirai was initially an example of a very simple safety error, resulting in a catastrophic occupational loss.
Miri illustrates how the omission of a security assessment that results in a loss of millions should be only a few hundred dollars. Mirai is not an isolated example — every catastrophic cyber security failure can be traced back to earlier issues in the security-by-design lifecycle. You will find further examples.
Tip 2- You require management to get in to the plan that security-by-design offers commercial benefit.
If the administration in your business feels that cybersecurity is an overhead – a business, then they have to change that mindset. Before you can get support to move towards a security-by-design culture, management needs to know that effective cybersecurity actually improves profitability. Why? The reason that productive cybersecurity delineated an additional business was spunky and there was not much risk of interruption.
Tip 3- Manage expectations and understand priorities.
Going through the chaos is not something that happens overnight, and although it will eventually make security less expensive and more effective, security costs will be higher for a time. This is because when an environment transitions towards security-by-design, other current security efforts still need to be maintained.
To give as high a value as possible requires that the first safety-by-design procedures to be implemented are those that address the problems that are causing the most treatment costs and / or cause the most disruption. These are not necessarily processes at the beginning of the life cycle.
A good tool to help identify these priorities is your SIEM metrics.
Any transition that needs to be done is suggested to look at the points fixed for safety and identify if there is a procedural cause that, if implemented, can prevent the problem from recurring. For example:
An organization recognizes that it has (in the past) deployed highly confidential, business-critical systems with low security and weak infrastructure. Rather than simply moving identified applications to better infrastructure, it will be recognized as an opportunity to implement a change management process so that every time a new system is released, or an existing system is upgraded – business value and system Confidentiality and checks are put in place to install the system with the correct security in an environment suitable for business value.
Once the process is ready, it can be piloted and then run on each of the highly confidential, business-critical systems. This will not only solve the immediate problem but establish a process to protect against further arrangements that deploy substandard security infrastructure.