Industry Observations

3 Ways to Put Cybersecurity First at Your Company

Welcome to week four of Cybersecurity Awareness Month!

The events of the past two years have accelerated a near complete digital transformation for today’s organizations. Companies have recognized that to stay in business, they need to quickly pivot almost every aspect of their business online, evolving processes and adopting new technology so that they can succeed in the “new norm.” With a new remote workforce and the evolution into a hybrid work model, savvy leaders recognize a competitive advantage in being proactive about cybersecurity.

Gone are the days where this is the job of the security team alone. Today’s organizations need to take a holistic and programmatic approach where cybersecurity empowers all teams to work cohesively and is not siloed by job function. As with all things in cybersecurity, there is no “silver bullet.” It is only by developing the full potential of a comprehensive cybersecurity program that organizations can deploy a truly secure infrastructure.

Here are three ways to put cybersecurity first at your company:

#1 – Adopt a Modern Cybersecurity Framework

It can take time to build cybersecurity into the more mature network security plans and practices, but it is definitely the path of best practices to reduce risk. Before you do anything, you must know and understand what you’re currently dealing with. A recommended approach is to develop a sustainable information security program and take inventory of the security services and systems that are currently in place and find out whether metrics exist to measure effectiveness.

Consider the following qualification questions:

  • What is the status quo for cybersecurity at your company?
  • What has been done and what tools have been used over the past few years (or more)?
  • Are there any third-party providers helping your company with cybersecurity needs?
  • Have any organizational policies been implemented to-date?
  • Is reporting in place or scattered between several different teams or departments?
  • Has your company ever experienced a data breach? If so, how did it happen?

Cybersecurity is not solely the responsibility of your IT department, but rather the duty of every individual on your team — whether they work in the office or remotely. The quickest way to assure responsibility is shared across the entire organization is to set up simple and accessible policies backed by a modern and secure infrastructure in establishing an updated cybersecurity framework. Those policies should include target areas for team members on which to focus their own cybersecurity vigilance, including:

  • Reviewing and updating privacy settings and antivirus protection tools
  • Regularly resetting passwords and using two-factor authentication
  • Implementing cybersecurity education programs at your company
  • Recognizing modern malware, ransomware and email phishing characteristics

Unfortunately, an incident or breach only has to occur once to compromise your company’s network security and informational integrity. Therefore, we want to avoid cybersecurity instances before they happen, not mend policies in reaction to what’s already occurred. That’s why it is paramount to be proactive instead of reactive in cybersecurity vigilance.

The modern cybersecurity framework encourages a look under the hood, even when things are going great and threats are quiet. This is the best time to take a hard look at vulnerabilities, to identify points of risk and weakness and brief your company on potential pitfalls. Although it can be difficult at times to identify, plugging a leak before it occurs is really the best way to mitigate incidents in your network.

The area in the framework is to review post-incident and continue regular testing of your systems, whether that’s from methods like vulnerability management services or penetration testing. For the purposes of testing the strength of your company’s cybersecurity, play devil’s advocate and really try to find the flaws that could be making your programs vulnerable to attack and exploitation.

Even world-class cybersecurity programs and helpful tools can be hindered quickly without the training necessary to keep them running efficiently. Companies need consumable education and training for team members on cybersecurity in concert with instituted programs, so everyone is looking down the same road to a secure environment.

The other half of the framework is how your company’s secure network impacts your customers and community. How is your organization viewed as secure in the digital world? How are you protecting sensitive data for users who value their privacy over what you’re selling?

Again, this mindset is not solely the responsibility of your IT department, but rather every member of your team. This is why developing a cohesive cybersecurity mindset in your company is a necessity in building a secure image around your services and offerings. When the proper mindset is constructed within your team, it equates to your customers feeling more confident in your company’s ability to keep them safe as well; in securing their personal and financial information.

This is a top fear today in the minds of most consumers, due to more recent and harmful outbreaks of cybersecurity threats like ransomware attacks, leveraging customer data for ransom from organizations. Your customers need to feel as safe and secure as your IT department does. That starts from inside the company.

Although counterintuitive, cybersecurity is based on and enabled by technology, and culture then follows. Attempts to put culture first tend to fail because you need to have an appropriate cybersecurity foundation. Technology is the basis for this type of culture, not the other way around. So, make sure to lead with the right technology solutions and the culture will adapt around it.

If your company needs a clear, step-by-step roadmap on security technology practices, take a cue from NTT Application Security and this comprehensive guide on Making It All Work: A Practical Guide to Operationalizing the Modern AppSec Framework.

Once your company’s cybersecurity roadmap, and thusly, security culture has been aligned, it’s time to champion your hard work with team members who have your best practices and policies at heart.

#2 – Develop Security Champions

The most effective way to make sure your organization’s digital security is actually secure is to enlist the support of your personnel in helping defend the castle. Basically, you need champions who see the roadmap the same way you do.

Firstly, recruiting the right talent to champion your company’s cybersecurity programs should take priority. The talent pool is large, yet there are alarmingly high vacancies to staff up cybersecurity, reflective of compensation that companies can or cannot provide.

According to a recent article from the Associated Press on recruiting cybersecurity professionals, “hiring and keeping staff capable of helping fend off a constant stream of cyberattacks and less severe online threats tops the list of concerns for technology leaders. There’s a severe shortage of those professionals and not enough financial firepower to compete with federal counterparts, global brands and specialized cybersecurity firms.”

Major companies feel this current pain and want to improve the landscape. In response to President Biden’s recently signed cybersecurity Executive Order, companies like Amazon, Google and IBM want to increase the number of educated professionals by pledging money and cybersecurity training. The President backed up that sentiment by adding that there are 500,000 vacant positions in the nation’s cybersecurity workforce and that number needs to be reduced.

The White House recently posted a new website Stop Ransomware to provide an online government resource for training and education in modern cybersecurity practices and awareness, along with an online reporting center for incidents. These initiatives are a pivotal starting point for companies to impress greater concern on staffing up correctly in their cybersecurity programs. The recent security position vacancy data demonstrates that utilizing a full toolbelt of cybersecurity solutions is shortsighted without being staffed and educated properly to champion the investment.

Another major challenge in developing security champions in companies is the lack of incident reporting among teams. When best practices and policies are established, often companies will educate based on the negative consequences of what happens when incidents occur. It’s good to lay out the realities but leading with fear and consequences makes people wary to talk about incidents, leading to an under-reporting of cybersecurity issues and giving companies a false reality of how secure they actually are.

No one wants to be the bearer of bad news when an incident occurs, especially if they are the source. That’s why companies need to elicit a culture of open communication about the good, the bad and the insecure. All team members can be cybersecurity champions through dedication to organizational policies. They simply need a lifeline to your best practices through education that’s easily consumable and always accessible.

If your IT department starts getting a flood of questions and scenarios about cybersecurity as it affects their role, that’s a good thing. Have the answers on deck and let them know how awesome it is that they care.

Create a learning hub for cybersecurity practices and scenarios that fit the culture of your company. Determine who in each department can be a point of contact for questions and highlight their special position in keeping your organization digitally secure. And go beyond training sessions by giving each person in your company the tools and consumable content to reference cybersecurity best practices anytime, anywhere.

Even in obtaining the right tools for your company’s cybersecurity belt, along with champions on the team who follow and implement the roadmap, the biggest challenge still can be getting leadership onboard; those who see the aftermath and not necessarily the front lines of cyber threats. And those leaders need just as much training and information on the subject as anyone else.

#3 – Get Your Leadership Onboard

Today there is a very real need to make leadership recognize the importance of cybersecurity. Recent global events and incidents have encouraged company leaders to ramp up their cybersecurity awareness as a necessity in today’s threat landscape. They know that a secure culture starts at the top, and ideally there shouldn’t be too much pushback these days on expanding investment and resources into company cybersecurity programs.

In a recent interview conducted by The Wall Street Journal, energy firm Baker Hughes Inc. CIO Jennifer Hartsock stated that “CEOs and boards are recognizing how digital cannot be separated from business objectives.” So, it is paramount to consider the following tenets of aligning cybersecurity awareness with your leadership’s business objectives:

  • Make cybersecurity visible to executives, as well as security and development organizations
  • Provide guidance for building and managing cybersecurity processes
  • Measure and manage cybersecurity risks and processes through KPI reporting
  • Prioritize vulnerability remediation based on risk exposure to the business
  • Institute cybersecurity training for developers, managers and executives
  • Assure leadership compliance of programs and applications with security regulations for privacy, data protection and information security

While executive involvement with cybersecurity does seem to be increasing, it’s still not where it should be. Many CISO initiatives are not given the budgets they need, and programs that are approved may lack the staff required to execute. According to a report by Bay Dynamics and Osterman Research, “only 29 percent of respondents believe they get the support they need” from their leadership. Obviously, getting this level of support is still proving difficult.

Another study by Osterman reveals that “the number one driver of [leadership] making cybersecurity a top priority is complying with regulatory requirements”. However, you should consider the fact that just because your company may be “in compliance”, doesn’t mean it is secure. Distinctions like this require education about cybersecurity, the importance of cybersecurity and what it takes to be successful.

Equally important is the need for senior management to provide the right data about the state of security inside the company. This means having strategies to measure and manage risk, plans to sustain business in the event of an incident, how to recover, and what to consider regarding improvements to the infrastructure via tools and applications.

Here’s some more alarming data to help you sell the need to secure your digital assets across the company and to establish a full-scope cybersecurity culture. According to IBM and the Ponemon Institute in their Cost of a Data Breach Report, the two biggest reasons cybersecurity incidents cost companies so much are “the absence or underrepresentation of security automation and incident response protocols in businesses and organizations.” The report states that this year, the average global cost of a cybersecurity incident is approximately $4 million.

One of the patterns seen across industries is that more and more executives are at a loss for where to start a cybersecurity program, much less sell it to the board of directors. While many board members understand the concepts and terms used in Network Security or Perimeter Security, Application Security as a concept and discipline is not quite firmly defined.

Give security leadership the right information to educate their peers, colleagues, and executives about initiating a successful cybersecurity program, including making application security visible to executives, as well as security and development organizations; providing guidance for building and managing processes; discovering how to measure and manage security risks and processes; and assuring compliance of applications with security regulations for privacy, data protection and information security.

For helpful guidance on getting your leadership onboard with a commitment to solutions and application security, check out this guide.

Secure Your Company Applications

Developing the right mindset, personnel and policies in your company is a great first initiative in securing your digital assets, but there is also a sure-fire case to be made for companies investing in application security and vulnerability management services.

According to the Verizon Data Breach Investigations Report (DBIR), application security is a must-have for any company, as application-level vulnerabilities are responsible for 30 percent of all incidents. Application-type attacks can be more insidious because they are executed via legitimate-looking traffic. Web applications are often hosted outside the main firewall, and consequently, the dangerous traffic is never seen. The code of the application itself, when poorly constructed (meaning not mindful of secure coding methodology), leaves the application at risk and ultimately the database behind it.

NTT Application Security can consult with you and your team about ways to put cybersecurity first at your company and give you the tools and services you need to secure your company’s digital future. Learn more here.

For more content on cybersecurity, application security and ways to put cybersecurity first at your company, check out the resources below:

Tags: application security, National Cybersecurity Awareness Month, NCSAM