This is a topic I’ve been mulling over for quite some time. Who owns your website? Do they understand what applications make up that website, and where they come from? Who are the responsible players in an organization? Who’s is the final throat to choke, and do they have the right information to make decisions and do their job?
If you asked 10 people in any organization about who owns the website, you’d get a lot of different answers: IT is the simple, generic answer most will say, and why not? IT owns the boxes, the power, the ISP relationship, the data center, keeping the lights on. Development might own parts of the website that do nifty transactional things, aka apps. Marketing often owns content, look and feel, and what goes where, and has a lot of decision-making power. IT security is the group that’s going to get the blame if an attack works and takes things down. And there might be finger pointing at partners or vendors who supply the parts of the website that development doesn’t do themselves.
As I was contemplating how to best talk about this, I got a link in the mail that looked like Christmas Day to clarifying why it bugs me. Let me share a quote from a study the Ponemon Institute performed: “Accountability for the security of applications is in a state of flux. Fifty-six percent of respondents believe accountability for application security is shifting from IT to the end user or application owner. However, at this time responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible. Twenty percent of respondents say business units are accountable and 19 percent of respondents say the head of application development is accountable.” (Ponemon Study “Application Security in the Changing Risk Landscape”, July 2016)
I both love and hate being right. In a 60/40 world where 60% of the attacks are coming in via endpoints and emails, and 40% are hitting the servers directly, that 40% isn’t getting the time or resources such a big slice of attacks rightly deserves. People are terrified in the news about zero-day attacks and new things with cool names threatening the perimeter, but is that where the clear and present danger lies?
[Source: Ponemon report]
As much as I hate the term Shadow IT, it really works for the statistics investigated in this study. Respondents in this study estimated that their organizations have over a thousand applications, and a third of them are considered mission critical. But less than half of the people were even confident that they knew all of the applications in use.
So sound off for me here. Who owns your website? Do you know all your applications? Do you have an accurate measurement of your clear and present danger?